Time in minutes that the device should obey the control command; e.g., in Device-Communication-Control, how long the device is to suppress or enable communications per the request.

Example: 5

Unique identifier used to correlate a confirmed APDU request (such as Device-Communication-Control or Reinitialize-Device) with its acknowledgment or response.

Example: 1

The specific BACnet APDU service invoked for device control (e.g., “ReinitializeDevice” or “DeviceCommunicationControl”).

Example: reinitialize_device

The SHA-256 hash of the password supplied in the Device-Communication-Control or Reinitialize-Device request if required by the device for authentication or to execute the control command.

Example: ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

Outcome of the control operation: one of Success, Error, Reject, or Abort.

Example: ERROR

If the result was Error, Reject, or Abort, this is the specific error/reject/abort code returned by the device; otherwise often “OK” or similar success-indicator.

Example:

The state to which the device is being set by the control service (for instance, the state in Reinitialize-Device such as “coldstart”, “warmstart”, etc.).

Example: coldstart

Numerical part of the device’s identifier (the instance number) used in discovery to uniquely address the device on the network.

Example: 1

The instance number of the object being discovered, combined with object_type to uniquely identify that object within the device.

Example: 930101

The name property of the object discovered (Object_Name BACnet property), e.g. a human-readable name for the device or object as configured on the BACnet device.

Example: FLR12_DEMAND

The type of BACnet object that is announced/discovered in the discovery process (for example, Device, Analog-Input, Binary-Output, etc.).

Example: device

The specific BACnet discovery service in use (for example, “Who-Is” or “I-Am”)

Example: who-is

The “Who-Is” discovery range that was used (e.g. “0-4194303”) indicating lower and upper limits of device instance numbers requested to announce themselves; helps scope discovery messages.

Example: 1944802-1944802

Type of identifier used to represent the device’s identity (often the “Device” object identifier or its subtype)

Example:

The vendor identifier or vendor name of the device responding to the discovery, per the BACnet Vendor ID registry.

Example: Schneider Electric

If the property is an array, this is the index of the element being accessed; if omitted or zero, it often means the whole array or default behavior per spec.

Example: 1

The instance number of the object within the device.

Example: 111

The unique identifier used to correlate confirmed APDU property requests (Read-Property or Write-Property) with their acknowledgments in BACnet traffic.

Example: 232

The type of BACnet object (e.g. Analog Input, Binary Output, Device, etc.) whose property is being accessed or modified.

Example: device

The specific BACnet APDU service invoked for device control (e.g. “ReinitializeDevice” or “DeviceCommunicationControl”))

Example: read-property-ack

The property identifier within the object (e.g. Present_Value, Status_Flags, Description, etc.) being read or written.

Example: object-list

The value of the property (for Read-Property-ACK or Write-Property-Request) as represented in the BACnet message; could be numerical, enumeration, string, etc.

Example: device: 111

The BVLC (BACnet Virtual Link Control) function for this BACnet/IP packet (identifies how the packet is being used, e.g. Original-Unicast-NPDU, Forwarded-NPDU, etc.)

Example: BVLC_Result

The unique identifier (invoke ID) used to track Confirmed APDU/NPDU requests and their acknowledgements/responses.

Example: 215

The Bacnet service (which service is being invoked or replied to, e.g. ReadProperty, WriteProperty, WhoIs, etc.)

Example: read_property

The Bacnet service type (the APDU PDU type, e.g. Confirmed-Request, Unconfirmed-Request, Simple-ACK, Error, etc.)

Example: CONFIRMED_REQUEST

The Error/reject/abort code or reason if the APDU is an Error, Reject, or Abort. This field is not applicable for NPDU context, it will be null.

Example: Successful_completion

The remote service targeted by the command

Example: samr

The command submitted to the remote service

Example: SamrOpenDomain

The name of the target pipe (or the destination port if not named

Example: \pipe\lsass

The IP assigned to the client

Example: 10.0.0.10

Shows whether a lease is being requested or acknowledged

Example: Request

The client hostname

Example: bob-pc

Number of seconds that the lease is valid

Example: 1800

The time at which the lease expires

Example: 2019-06-24T07:31:35.012Z

The client MAC address

Example:

The name of the function message in the reply.

Example: RESPONSE

The name of the function message in the request.

Example: CONFIRM

Function code (READ or RESPONSE)

Example: RESPONSE

DNP3 object type

Example: 32-Bit Binary Counter

DNP3 object type

Example: 32-Bit Binary Counter

Range (high) of object

Example: 9

Range (low) of object

Example: 0

Function code (READ or RESPONSE)

Example: RESPONSE

DNP3 object type

Example: 32-Bit Binary Counter

DNP3 object type

Example: 32-Bit Binary Counter

Range (high) of object

Example: 9

Range (low) of object

Example: 0

The answers returned by the DNS server for the query

Example: [103.2.116.79, 103.2.116.83]

The transport layer protocol used

Example: udp

The numeric code of the query type

Example: 1

The string name of the query type

Example: A

The domain being queried

Example: www.google.com

The numeric code of the result

Example: 0

The string name of the result

Example: NOERROR

Indicates whether the query was rejected by the server

Example: false

Type of category of the IPS signature.

• Info: IDS with informational severity
• AppID: Application control
• IDS: Intrusion Detection
• Botnet: IDS's botnet specific signature
• OT - Threats: IDS for Operational Technology
• OT - Protocol: AppCtrl for Operational Technology

Example:IDS

Severity of the triggered IPS signature.

• Info: 0
• Low: 1
• Medium: 2
• High: 3
• Critical: 4

Example:0

The triggered IPS signature name.

Example:ITCM.Class.D_Wayside.Status.Message.WIUStatus.Timed.Beacon

Attack ID or ID of the IPS signature.

Example:12343

Possible behavior for the application in which the triggered IPS signature refers to.

Example:Evasive

The application category for the triggered IPS signature, if there is any.

Example:Operational.Technology

Language used in the application in which the triggered IPS signature refers to.

Example:N/A

Name of the application.

Example:Other

OS of the application or vulnerable system/devices.

Example:All

Technology group or type for the application in which the triggered IPS signature refers to.

Example:Client-Server

Vendor of the application in which the triggered IPS signature refers to.

Example:Other

Default port and protocol for the application in which the triggered IPS signature is referring to.

Example:UDP/1900

ID of the IPS signature that link to the triggered IPS signature.

Example:56843

Which group the triggered IPS signature belongs to.

Example:SCADA

Version number for the triggered IPS signature.

Example:13401

Session ID for the traffic.

Example:0

ID for the CVE reference.

Example:20050380

Does the current IPS signature need SSL decryption to work.

Example:False

Vulnerablity ID or Applicatioin ID for the IPS signature (Note: One VID could contain multiple AID).

Example:33456

An additional flow identifier for joining Flow events.

Example: 1:f69i+MdCEA8QnAKnKVE0Pyyta24=

The number of seconds the flow lasted

Example: 7s

Lifecycle summary of the connection observed for this flow. Includes standard Zeek/Bro connection states and periodic P* states.

Example: SF

Supported values:

Additionally, FortiNDR Cloud logs P* flow states. These states are logged for long‑lived connections once every 24 hours, with the flow_state reflecting the current state of the TCP/UDP state machine. The byte totals logged are cumulative since connection start, rather than incremental since the previous log entry. In practice, this typically results in PS0 (one‑sided connection, retry under the 5‑minute timeout), PS1 (two‑sided connection where the start was observed), and POTH (the start of the connection was not observed).

The transport layer protocol used

Example: tcp

The application(s) observed in the flow, if any

Example: http

The total combined bytes transmitted over the connection

Example: 927 bytes

The total combined packets transmitted over the connection

Example: 11

The destination of the data channel

Example: 10.0.0.2

The distance (in miles) between the IP addresses of the data channel

Example: 5077.89

Indicates whether the session is in passive mode

Example: True

The source of the data channel

Example: 10.0.0.10

Files transferred over the session

Example: N/A

The full argument string supplied to the command

Example: ftp://10.0.0.2/secrets.zip

The client command

Example:RETR

The server response code to the command

Example: 227

The server response string to the command

Example: Entering Passive Mode (10,0,0,2,197,36)

Variable names extracted from all cookies.

Example: disp.prefs,_utmz ,_utmc,_utma, TS01f95106, _utmb

Files downloaded over the HTTP connection

The content of the Accept header

Example: [image/webp, image/apng, image/*, */*;q=0.8]

The vector of HTTP header names sent by the client.

Example: Cache-Control, Connection, Pragma, Content-Type, User-Agent, X-Havoc, X-Havoc-Agent, Content-Length, Host

The computed MD5 hash of the headers content

Example: d41d8cd98f00b204e9800998ecf8427e

The contents of the Content Type header

Example: [text/xml; charset="utf-8"]

The length of the cookie in bytes

Example: 194

The content of the Location header

Example: http://amupdatedl3.microsoft.com/server/amupdate/metadata/UniversalManifest.cab

The content of the Origin header

Example: http://go.com

The sequence of IPs the HTTP connection is proxied through

Example: [172.16.0.1, 172.16.0.2]

The full content of the Refresh header

Example: 1;URL=http://travelingtravelerhome.wordpress.com/

The timeout period in seconds

Example: 1

The URI of the Refresh header

Example: http://travelingtravelerhome.wordpress.com/

The web server software

Example: Microsoft-IIS/6.0

The vector of HTTP header names sent by the server.

Example: VIA, DATE SERVER, CONNECTION, X-2SENDPT1, X-WSENDPT2, CONTENT-LENGTH

The application software running on the server

Example: ASP.NET

The content Host header

Example: www.google.com

The message returned with a 100-level response code

Example: Continue

The HTTP method selected

Example: GET

A list of proxy steps

Example: PROXY-CONNECTION -> Keep-Alive

The content of the Referrer header

Example: http://au.search.yahoo.com/search?p=planetside.co.uk&fr=sfp&fr2=sb-top-search

The length in bytes of the request

Example: 0

Example: text/plain

The length in bytes of the response

Example: 24

Example: text/html

The numeric code of the server's response

Example: 200

The string name of the server's response

Example: OK

The depth of redirects

Example: 4

The full URI of the request

Example:/index.php

The content of the UserAgent header

Example: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

The cipher suite used to encrypt the ticket

Example: aes256-cts-hmac-sha1-96

The client that requested the ticket; machine accounts have a $ at the end of their name but user accounts do not.

Example: jane.doe/ACME.CORP, financewks008$/ACME.CORP

Client certificate file unique ID

Example: Xbtku3TdsfdsdfasdfA8VNsk

Client certificate Subject field

Example: CN=C865433

The error message returned for failed requests

Example: KDC_ERR_CLIENT_NAME_MISMATCH

Indicates whether the ticket's forwardable flag is set

Example: True

Indicates whether the ticket's renewable flag is set

Example: True

The type of ticket requested, either a ticket-granting ticket from the authentication server (AS) or a service ticket from the ticket-granting server (TGS)

Example: AS, TGS

Server certificate file unique ID

Example: FvAdJGsjeXuhSvE9m

Server certificate Subject field

Example: CN=dc09.google.com

The service for which a ticket is being requested

Example: krbtgt/ACME.CORP

Indicates whether the request was successful

Example: True

The ticket duration in seconds

Example: 86400

Time the ticket is good from

Example: 2015-09-13T02:48:05.000Z

Additional arguments this message includes.

Example: REDACTED

The unique identifier that is used to correlate requests and responses.

Example: 2

The objects names this message refers to.

Example: ATRLAB\\Administrator

The operation code indicating what type of message it is.

Example: bind, simple

The result code if the message contains a result.

Example: success

The unique identifier that is used to correlate requests and responses.

Example: 2

Result code of search operation.

Example: success

A list of attributes that were returned in the search.

Example: 2

Base search objects.

Example: 2

Set of deref alias.

Example: 2

A string representation of the search filter used in the query.

Example: 2

Number of results returned.

Example: 2

Set of search scopes.

Example: 2

Example: true

Starting address of value(s) field.

The name of the function message that was sent.

Example: READ_INPUT_REGISTERS

Number of addresses/values read or written to.

REQUEST or RESPONSE

Modbus transaction identifier

Modbus terminal unit identifier.

Number of bytes in a flow.

Example: 106

Destination network address associated with a particular network flow with the mask.

Example: 0.0.0.0/0

Virtual LAN identifier associated with egress interface.

Example: 0

Ethernet type (0x0800 for IPv4). Entire list is here: https://en.wikipedia.org/wiki/EtherType

Example: IPv4

The fragment ID.

Example: 19093

The fragment-offset value from fragmented IP packets.

Example: 0

Code of the ICMP message.

Example: 0

ICMP flags

Example: 0

Input interface.

Example: 512

IP flags

Example: 0

IP Type of Service.

Example: 0

TTL value observed for packets of the flow.

Example: 64

IPv6 flow label as in RFC 2460 definition.

Example: 0

Size of protocols seen in the flow.

Example: [14, 4, 20, 8]

Protocols seen in this flow.

Example: [Ethernet, MPLS, IPv4, ICMP]

Output interface.

Example: 0

Denominator of how frequently data is collected. Meaning a sampling rate of 100 means one out of every 100 packets is sampled. Helps reduce the load on network devices and collectors by only exporting a portion of the traffic.

Example: 1

The IP address of the network device (typically a router) that is performing packet sampling and exporting NetFlow data.

Example: 169.254.0.2

Type of netflow

Example: IPFIX

Source network address associated with a particular network flow with the mask.

Example: 0.0.0.0/0

Virtual LAN identifier associated with ingress interface.

Example: 0

TCP flags

Example: 0

Allows you to associate network traffic flows with their respective VLANs.

Example: 0

Protocol used in the traffic.

Example: TCP

The type of event

Example: flow

Number of packets in a flow.

Example: 1

The number of bytes transmitted by the IP address

The number of packets transmitted by the IP address

If the source and destination IPs are switched due to port values.

Example: false

The number of bytes transmitted by the IP address

The classified application for a flow

The IP of the responder to the connection

Example: 8.8.8.8

Enrichments for an IP

The port of the responder to the connection

Example: 53

Description of a file to provide more context. For example, if a notice was related to a file over HTTP, the URL of the request would be shown.

If the notice event is related to a file, this will be the mime type of the file.

A file unique ID if this notice is related to a file.

Description of activity noticed.

Example: 10.1.0.47 appears to be guessing SSH passwords (seen in 30 connections).

Associated count, or perhaps a status code.

Notice type

Example: SSH::Password_Guessing

The actions which have been applied to this notice.

Example: [Notice::ACTION_LOG]

Textual description for the peer that raised this notice, including name, host address and port.

The transport protocol.

The IP of the initiator of the connection

Example: 10.10.10.10

Enrichments for an IP

The port of the initiator of the connection

Example: 52843

Technical details of the activity.

Example: Sampled servers: 10.1.0.86, 10.1.0.86, 10.1.0.86, 10.1.0.86, 10.1.0.86

This field indicates the length of time that this unique notice should be suppressed.

The domain used to authenticate the client

Example: ACME

The client hostname used

Example: FINANCEWKS008

String indicating the result of the authentication

Example: SUCCESS

Indicates whether the authentication succeeded

Example: True

The timestamp for which the flagged activity ended.

Example: 2019-01-01T00:00:00.000Z

An IQL statement that attempts to identify the events used to generate the observation.

Example: src.ip = '10.10.10.10' AND customer_id = 'chg' AND dce_rpc:dce_rpc_operation = 'NetrSessionEnum' AND timestamp >= t'2019-01-01T22:00:00.000000Z' AND timestamp <= t'2019-01-01T22:10:00.000000Z'

The timestamp for which the flagged activity began.

Example: 2019-01-01T00:00:00.000Z

The subject of an observation.

Example: relationship

The class of what was observed about the subject.

Example: specific

The confidence (high, medium, or low) in the model output to what was attempted to be observed.

Example: high

The title of what was attempted to be detected - similar to a suricata sig name.

Example: High Count of NetSession Destinations

A unique identifier for the model used to generate the observation. Multiple models may exist for the same title.

Example: ac33189b-ee31-4f5e-b6a1-dcb63d9a7295

The compile timestamp extracted from the file

Example: 2015-11-12T10:23:51.000Z

The enriched file properties (hashes, size, MIME-type)

Example: N/A

Indicates whether the file has an attribute certificate table

Example: True

Indicates whether the file has a debug table

Example: True

Indicates whether the file has an export table

Example: True

Indicates whether the file has an import table

Example: True

An internal unique identifier for the file

Example: FrkSk6Y0mqKGxMBF6

Indicates whether the file is 64-bit

Example: True

Indicates whether the file is executable or just an object

Example: True

The architecture the file was compiled for

Example: I386

The OS the file was compiled for

Example: Windows XP

An array of section names extracted from the file

Example: [.text, .rdata, .data, .rsrc]

The subsystem the file was compiled for

Example: WINDOWS_GUI

Indicates whether the file supports ASLR

Example: True

Indicates whether the file enforces code integrity checks

Example: True

Indicates whether the file supports DEP

Example: True

Identifies communication relationships

Authentication protocol - set to 0 for no authentication

Flag 1 Bit 6 Broadcast (is the call a broadcast)

Flag 2 Bit 1 Cancel was pending at call end (a cancellation request was received from the client for a specific remote procedure call (RPC), but the call completed before the cancellation could be processed. )

Character encoding: ASCII, EBCDIC

Version Fack

Floating point representations: IEEE, VAX, CRAY, etc.

Flag 1 Bit 2 Fragment

Fragment number set to the number of the current fragment.

Activity hint

Flag 1 Bit 5 Idempotent

Integer encoding: Big Endian or Little Endian

Interface hint

Interface version major

Interface version minor

Identifies the interface of an IO device, controller, etc.

Flag 1 Bit 1 Last Fragment

Length of body set to the number of octets of NDRDdata in the current frame.

Maximum fragment size

Maximum Tsdu

Flag 1 Bit 4 Maybe (the client sends a request but does not wait for a response)

Flag 1 Bit 3 No fragment acknowledge requested

Object instance within a physical device

Operation number identifies the PNIO service supported by the PNIO interfaces.

Packet Type: Request, Response, Fault, etc.

Flag 1 Bit 0 Reserved for implementation

Flag 1 Bit 7 Reserved for implementation

Used RPC version

Array of selective ACK

Selective ACK length

Used with activity_UUID to uniquely identify a RPC call.

The high octet of the fragment number of the call

The low octet of the fragment number of the call

Serial number

Server boot time

Window size

Destination Connection ID (DCID). This DCID is used for routing and packet protection by client and server.

Example: 95412c47018cdfe8

QUIC Application-Layer Protocol Negotiation (ALPN) extension. This is the extension’s first entry.

Example: h3

Source Connection ID chosen by the client in its INITIAL packet. This ID is used for packet protection and is typically random and unpredictable.

Example: 4823dfc5a047e6acd230b5c5e047ced9b0a6b542

Provides a history of QUIC protocol activity in a connection, similar to the history field in Conn.

Example: ISisH

A QUIC-supported server responds to a DCID by selecting a Source Connection ID (SCID). Occurs within the server’s first INITIAL packet.

Example: 0130dfc5a047e6acd230b5c5e047ced9b0a6bbf0

A string interpretation of the QUIC version number, usually “1” or “quicv2”

Example: 1

The number of certificates seen

Example: 0

Indicates if the provided certificate or certificate chain is permanent

Example: True

The type of certificate used if the connection is encrypted with native RDP encryption

Example: RSA

The client RDP version

Example: RDP 5.1

The client product ID

Example: 715e03e8-6eef-4c53-b022-rbcd967

The client hostname

Example: bob-PC

The truncated account name used by the client

Example: bob

The client desktop height

Example: 1080

The client desktop width

Example: 1920

The encryption level used

Example: Client compatible

The encryption method used

Example: 128bit

The client keyboard layout (language)

Example: English -United States

The color depth requested by the client in the high_color_depth field

Example: 32bit

The result for the connection, derived from a mix of RDP negotiation failure messages and GCC server create response messages

Example: Succeed

Files transferred over the SMB connection

Example: N/A

The last time the file was accessed

Example: 2018-04-08T22:48:07.958Z

The file's size in kilobytes

Example: 145922

The last time the file's metadata changed

Example: 2018-04-08T22:48:07.958Z

The time the file was created

Example: 2018-04-08T22:48:07.958Z

The last time the file's content changed

Example: 2018-04-08T22:48:07.958Z

The post-transfer name of the file (can be renamed before writing to disk)

Example: secrets.zip

The pre-transfer name of the file

Example: exfil.zip

The full network path to the target share

Example: \\DYNACCOUNTIC-DC.dynaccountic.com\sysvol

The target network share

Example: sysvol

Example: DYNACCOUNTIC-DC.dynaccountic.com

The file system type on the target host (for Disk shares)

Example: NTFS

The type of share established

Example: DISK

The full network path to the target share

Example: \\DYNACCOUNTIC-DC.dynaccountic.com\sysvol

The target network share

Example: sysvol

The target host

Example: DYNACCOUNTIC-DC.dynaccountic.com

The content of the Date header

Example: Thu, 12 Jul 2015 17:59:01 -0400 (EDT)

The full content of the first Received header

Example: from JIM@GMAIL.COM ([198.51.100.1]) by SALLY@GMAIL.COM ([101.9.210.120]) with mapi id 14.01.1039.013; Thu, 12 Jul 2015 18:09:44 -0500

The content of the From header

Example: jdoe@gmail.com

The argument supplied to the HELO command

Example: client.example.com

The Message-ID in the In-Reply-To header

Example: <b8bba2baae4c2a08fdff4e223458577d@gmail.com>

Indicates whether the message was sent through a webmail interface

Example: true

The last message the server sent to the client

Example: 250 Message accepted for delivery

The argument supplied to the MAIL FROM command

Example: support@acme.corp

The Message-ID of the message

Example: <b8bba2baae4c2a08fdff4e223458577d@gmail.com>

The message transmission path extracted from the Received headers

Example: [192.161.0.200, 204.148.78.113]

The argument supplied to the RCPT TO command

Example: jdoe@gmail.com

The content of the Reply-To header

Example: jdoe@gmail.com

The content of the second Received header

Example: from JIM@GMAIL.COM ([198.51.100.1]) by SALLY@GMAIL.COM ([101.9.210.120]) with mapi id 14.01.1039.013; Thu, 12 Jul 2015 18:09:44 -0500

The content of the Subject header

Example: Click this link!

Indicates whether the connection switched to using TLS

Example: true

The content of the To header

Example: [jdoe@gmail.com, kdoe@gmail.com]

The depth of this message transaction where multiple messages were transferred in a single connection

Example: 1

A list of URLs extracted from the message

Example: [http://malware.pwn//root.ps1, https://www.google.com]

The content of the client's User-Agent header

Example: SquirrelMail/1.4.22

Community string of the first packet associated with the session

Example: public

A system description of the SNMP responder endpoint

Example: Roma v1.9 v9.5.0_W EQ

Amount of time between the first in the session and the latest one seen in seconds

Example: 12.209241

Number of variable bindings in GetBulkRequest PDUs seen for the session

Example: 3

Number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session

Example: 7

Number of variable bindings in GetResponse/Response PDUs seen for the session

Example: 2

number of variable bindings in SetRequest PDUs seen for the session

Example: 10

Time at which the SNMP responder endpoint claims it’s been up since

Example: 2024-09-19T00:00:49.536262Z

The host from which the software was observed

Example: 10.0.0.10

The name of the observed software

Example: Wget

The category of the observed software

Example: HTTP::BROWSER

Arbitrary notes about the software

Example: linux-gnu

The major version number

Example: 1

The first minor version number

Example: 19

The second minor version number

Example: 1

The third minor version number

Example: 0

The full version string

Example: Wget/1.19.1 (linux-gnu)

The inferred authentication result

Example: True

The encryption algorithm used

Example: aes128-ctr

The client version string

Example: SSH-2.0-OpenSSH_7.6

The compression algorithm used

Example: none

The direction of the connection, Outbound if the client was a local host logging into an external host and Inbound in the opposite situation

Example: Inbound

Network fingerprinting which can be used to identify specific Client and Server SSH implementations.

Example: 98ddc5604ef6a1006a2b49a58759fbe6

Network fingerprinting which can be used to identify specific Server SSH implementations.

Example: cd77a550c195f0e4ea637e367fa499e8

The server fingerprint

Example: a1:a2:79:80:6d:b1:77:82:d8:6c:aa:ee:25:19:23:42

The server's key algorithm.

Example: ssh-rsa

The key exchange algorithm used

Example: ecdh-sha2-nistp256

The signing (MAC) algorithm used

Example: hmac-sha1

The server version string

Example: SSH-2.0-OpenSSH_7.4

The cipher suite selected by the server

Example: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

The Issuer field of the client's certificate

Example: CN=Google Internet Authority G2,O=Google Inc,C=US

The Subject field of the client's certificate

Example: CN=*.google.com,O=Google Inc

The Issuer field of the server's certificate

Example: CN=Google Internet Authority G2,O=Google Inc,C=US

The computed JA3 hash for the client

Example: 4d7a28d6f2263ed61de88ca66eb011e3

The computed JA3 hash of the server

Example: 4d7a28d6f2263ed61de88ca66eb011e3

The computed JA4 hash for the client hello packet

Example: t13d1516h2_acb858a92679_e5627efa2ab1

The enriched Server Name Indication set by the client

Example: www.google.com

The ID used for session resumption (deprecated)

Example: N/A

The Subject field of the server's certificate

Example: CN=*.google.com,O=Google Inc

Result of certificate validation for this connection (deprecated)

Example: Success

An additional flow identifier for joining Suricata and Conn events.

Payloads are generated by the sensor’s IDS engine. This field displays the raw payload from traffic that matched a detection signature. This ASCII representation helps you determine whether the traffic is malicious or benign.

Payloads are disabled by default due to the potential exposure of sensitive or personally identifiable information (PII). When enabled, you can click the field to view the payload in FortiNDR Cloud.

Payloads can be enabled upon request through Fortinet Support.

The transport layer protocol used.

Example: tcp

The query's category.

Example: A Network Trojan was Detected

The query's ID.

Example: 2024290

The query's name.

Example: ET TROJAN Jaff Ransomware Checkin M1

The query's revision number.

Example: 2

The action taken on the tunnel

Example: Tunnel::DISCOVER

Protocol used in the traffic.

Example: TCP

If the source and destination IPs are switched due to port values.

Example: false

AWS account ID owning the source network interface.

Example: 123456789101

The action associated with the traffic.

Example: ACCEPT

Availability Zone ID of the network interface.

Example: usw2-az1

The time when the last packet was received in the aggregation interval.

Example: 2019-01-01T00:00:00.000000Z

The direction of the flow relative to the interface.

Example: ingress

ID of the VPC containing the network interface.

Example: vpc-123f7d9bb71e45e11

ID of the associated instance.

Example: i-123b3953f10184bde

ID of the network interface.

Example: eni-0ff7168c44159f431

Type of traffic IP version.

Example: IPv4

Logging status of the flow log.

Example: OK

Packet-level original destination IP address.

Example: 10.1.0.1

Subnet name for packet destination IP.

Example: AMAZON

Packet-level original source IP address.

Example: 10.1.0.2

Subnet name for packet source IP.

Example: S3

IANA protocol number of the traffic.

Example: 6

AWS region containing the network interface.

Example: us-west-2

Reason the traffic was rejected.

Example: BPA

ID of the subnet containing the interface.

Example: subnet-12356986a7885a583

Bitmask value for TCP flags.

Example: 2

Number of packets transferred during the flow.

Example: 1

Indicates whether the CA flag is set

Example: False

The maximum path length

Example: 10

The file ID of the certificate

Example: FNbDqq2ZxjNk10D7ie

The content of the Issuer field

Example: O=Internet Widgits Pty Ltd,ST=Some-State,C=AU

The length of the key

Example: 2048

The type of key used

Example: rsa

The list of DNS entries in the SAN

Example: [*.outlook.com, *.office365.com]

The list of email entries in the SAN

Example: [dave@email.corp]

The list of IP entries in the SAN

Example: [169.254.1.1]

The list of URI entries in the SAN

Example: [https://169.254.1.1]

The serial number of the certificate

Example: E3BD4F4F884EADDA

The content of the Subject field

Example: O=Internet Widgits Pty Ltd,ST=Some-State,C=AU

The time before the certificate became valid

Example: 2018-01-11T14:35:34.000Z

The time once the certificate becomes invalid

Example: 2018-01-11T14:35:34.000Z