Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    25.4.0
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    Common fields

    Common fields

    Several fields are common across all event types. Some serve administrative purposes (such as a unique event identifier or the originating sensor) while others are essential for interpreting network traffic, including timestamps and source/destination IP addresses. Each of the following fields is present in every event, with a few exceptions noted in the table below.

    Field Type Description

    account

    		 string

    The name of the account that owns the event

    Example: Training

    customer_id

    		 string

    The code of the account that owns the event

    Example: chg

    dst

    		 ip-object

    The responder to the connection

    Example: 8.8.8.8

    event_type

    string

    The type of event recorded

    Example: smp

    flow_id

    		 string

    A unique identifier for a flow shared by all events produced from that particular flow

    Example: CtjvJR1nIzN4WFSuc7

    geo_distance

    		 float

    The difference between src and dst geo values

    Example: 1410.373826280689

    intel

    		 intel-array

    An array of intel-objects matching entities in the event

    sensor_id

    		 string

    The sensor that created the event

    Example: chg1

    source

    		 string

    The source of the event.

    Example: Zeek

    src

    		 ip-object

    The initiator of the connection

    Example: 10.10.10.10

    timestamp

    		 timestamp

    The time at which traffic for the event began

    Example: 2019-01-01T00:00:00.000Z

    uuid

    		 string

    A unique identifier for the event

    Example: 1ca116cb-9262-11e9-b5bf-02472fee9a4a

    The intel field is an array of values of type intel-object. The table below lists the sub-fields contained within the intel field.

    Field Type Description

    confidence

    string

    The overall confidence rating of the intel source

    Example: high

    feed

    string

    The name of the intel source

    Example: Sinkholes

    indicator

    string

    The matched entity

    Example: 131.253.18.12

    indicator_type

    string

    The entity type

    Example: ip_address

    is_malicious

    Boolean

    Indicates whether the indicator is believed to be malicious

    Example: false

    meta

    string

    A JSON string of all metadata provided by the intel source

    Example: {"description":"Observed C2 Activity","references":["Fortinet FortiGuard Labs"]}

    severity

    string

    The overall severity rating of the intel source

    Example: high

    timestamp

    timestamp

    The creation time of the intel record

    Example: 2019-01-01T00:00:00.000Z

    Exceptions to common fields

    Event type

    Exception

    DPI

    The flow_id is not included in the dpi events.
    Netflow In NetFlow events, the src (source) and dst (destination) fields are replaced with interface_enriched, a type based on ip-object. This enriched type includes everything in ip-object. Unique to Netflow, the src and dst also include the mac (MAC address) field
    Software The Software event type does not have src and dst fields because it is not extracted from raw network traffic. Instead, the record is inferred based on the contents of one or more fields.
    Suricata The Suricata event type does not have a flow_id field because it is generated by a completely different process than the other event types. You must match suricata events to their associated flows using the IP address and ports of the event.
    Previous
    Next

    Common fields

    Common fields

    Several fields are common across all event types. Some serve administrative purposes (such as a unique event identifier or the originating sensor) while others are essential for interpreting network traffic, including timestamps and source/destination IP addresses. Each of the following fields is present in every event, with a few exceptions noted in the table below.

    Field Type Description

    account

    		 string

    The name of the account that owns the event

    Example: Training

    customer_id

    		 string

    The code of the account that owns the event

    Example: chg

    dst

    		 ip-object

    The responder to the connection

    Example: 8.8.8.8

    event_type

    string

    The type of event recorded

    Example: smp

    flow_id

    		 string

    A unique identifier for a flow shared by all events produced from that particular flow

    Example: CtjvJR1nIzN4WFSuc7

    geo_distance

    		 float

    The difference between src and dst geo values

    Example: 1410.373826280689

    intel

    		 intel-array

    An array of intel-objects matching entities in the event

    sensor_id

    		 string

    The sensor that created the event

    Example: chg1

    source

    		 string

    The source of the event.

    Example: Zeek

    src

    		 ip-object

    The initiator of the connection

    Example: 10.10.10.10

    timestamp

    		 timestamp

    The time at which traffic for the event began

    Example: 2019-01-01T00:00:00.000Z

    uuid

    		 string

    A unique identifier for the event

    Example: 1ca116cb-9262-11e9-b5bf-02472fee9a4a

    The intel field is an array of values of type intel-object. The table below lists the sub-fields contained within the intel field.

    Field Type Description

    confidence

    string

    The overall confidence rating of the intel source

    Example: high

    feed

    string

    The name of the intel source

    Example: Sinkholes

    indicator

    string

    The matched entity

    Example: 131.253.18.12

    indicator_type

    string

    The entity type

    Example: ip_address

    is_malicious

    Boolean

    Indicates whether the indicator is believed to be malicious

    Example: false

    meta

    string

    A JSON string of all metadata provided by the intel source

    Example: {"description":"Observed C2 Activity","references":["Fortinet FortiGuard Labs"]}

    severity

    string

    The overall severity rating of the intel source

    Example: high

    timestamp

    timestamp

    The creation time of the intel record

    Example: 2019-01-01T00:00:00.000Z

    Exceptions to common fields

    Event type

    Exception

    DPI

    The flow_id is not included in the dpi events.
    Netflow In NetFlow events, the src (source) and dst (destination) fields are replaced with interface_enriched, a type based on ip-object. This enriched type includes everything in ip-object. Unique to Netflow, the src and dst also include the mac (MAC address) field
    Software The Software event type does not have src and dst fields because it is not extracted from raw network traffic. Instead, the record is inferred based on the contents of one or more fields.
    Suricata The Suricata event type does not have a flow_id field because it is generated by a completely different process than the other event types. You must match suricata events to their associated flows using the IP address and ports of the event.
    Previous
    Next