Enriched object field types

A field that is of type object simply means the field is actually a collection of sub-fields. Some of those sub-fields could also be another collection of sub-fields. Think of an object as a JSON block, or a dictionary for the Python users, or a map for the C/C++ users. Sub-fields are then referenced using dot notation, (for example, dst.geo.country).

Some object types are very common and are used over and over again, such as an ip-object. An ip-object refers to a field with the structure shown in the ip-object table. These field types are used throughout the different event types, so you should be familiar with them.

Deprecation notice: The asn.isp and asn.org fields are no longer supported. Please use asn.asn_org or asn.asn fields instead. This change applies to all IP-related fields.

The following topics provide a description of each object field type and the sub-fields it contains:

• IP-Objects
• Domain-Objects
• Host-Objects
• URI-Objects
• URL-Objects
• File-Objects
• Email-Objects

Back to top.

IP-Objects

The following table describes the fields that contain enriched information for an IP address:

Field	Type	Description
asn	asn-object	ASN information for the IP address Example: See table below
$device	synthetic field	Enables querying devices by hostname or MAC address. Note: this field is only available for the src and dst fields.
geo	geo-object	Geographic information for the IP address Example: See table below
internal	Boolean	Indicates whether the IP address is internal to the network Example: true
ip	ip	The IP address Example: 10.10.10.10
ip_bytes	int	The number of bytes transmitted by the IP address within the flow (only populated in Flow events) Example: 458 Bytes
pkts	int	The number of packets transmitted by the IP address within the flow (only populated in Flow events) Example: 8
port	int	The port used by the IP address Example: 52843
username	int	The user name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). Example: john.smith@fortinet.com
hostname	int	The host name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). Example: F09NQJM1ABC

The asn field contains the following subfields.

Field	Type	Description
asn	int	The Autonomous System Number Example: 16509
asn.asn_org	string	The organization name associated with the ASN (they actually use the ASN) Example: Amazon.com, Inc.
asn.asn	string	The upstream ISP for the ASN Example: Amazon.com
org	string	The upstream owner of the ASN - may differ from asn_org Example: Amazon.com

The geo field contains the following subfields.

Field	Type	Description
city	string	The city of record Example: Boardman
country	string	The country of record Example: US
location	object	The longitude and latitude of record Example: (45.8491,-119.7143)
subdivision	string	The segment of the country (states in the US) Example: OR

Back to Enriched object field types.

Domain-Objects

The following table describes the fields that contain enriched information for a domain:

Field	Type	Description
domain	string	The domain Example: portal.fortindr.forticloud.com
domain_entropy	float	The computed Shannon entropy of the domain Example: 3.5

Back to Enriched object field types

Host-Objects

Host-Objects fields contain enriched information for both IP addresses and domains because the field could be either one. For example an HTTP Host header or a DNS answer.

Host-Objects contain the combined sub-fields in:

• IP-Objects

• Domain-Objects

Back to Enriched object field types

URI-Objects

Fields that contain a URI are broken up into its different components.

Field	Type	Description
fragment	string	The fragment identifier component Example: #
host	host-object	The content of the Host header Example: portal.fortindr.forticloud.com
params	object-array	The HTTP parameters as an array of key-value pairs Example:
path	string	The path of the requested resource Example: search
port	integer	The specified port Example: 443
query	string	The full parameter string Example: query=8.8.8.8&sort_dir=desc
scheme	string	The specified scheme Example: https
uri	string	The full URI Example: https://portal.fortindr.forticloud.com:443/search?query=8.8.8.8&sort_dir=desc#

URL-Objects

Fields that contain both a host-object and a uri-object are referred to as a url-object.

URL-Objects contain the combined sub-fields in:

• IP-Objects

• Domain-Objects

• URI-Objects

Back to Enriched object field types

File-Objects

File-Objects fields contain enriched information for an observed file.

Field	Type	Description
bytes	int	The file's size in bytes Example: 145922
md5	string	The computed MD5 hash Example: 92a4d0aeede3ce110b4121342df48496
mime_type	string	The fingerprinted MIME-type Example: application/x-dosexec
name	string	The observed name Example: 2487ff63fb4e79.gif
sha1	string	The computed SHA1 hash Example: e63932430d4028b51fa25dae13d9e0188e9a02a5
sha256	string	The computed SHA256 hash Example: 227193160a2448dfa8bbbd2cf125afa9cca0d1a718b109a3adae5df8a24cdf6e

Back to Enriched object field types

Email-Objects

Email-Objects fields contain an email address broken up into its different components.

Field	Type	Description
domain	string	The domain Example: gmail.com
email	string	The entire email address Example: jdoe@gmail.com
name	string	The name Example: jdoe

Back to Enriched object field types