Event types and fields
This section contains information about the event types available in FortiNDR Cloud, the fields parsed for each event type. Here, as well as an explanation of the fundamental concepts like field types and common fields.
Event types
Each event type contains a set of common fields (included in all event types) and event fields (unique to the event type).
The following table shows the event types supported by FortiNDR Cloud:
|
Event Type |
Description |
|---|---|
|
dce_rpc |
A single DCE/RPC command |
|
dhcp |
A single DHCP lease |
|
dns |
A single DNS request and response |
|
dnp3 |
A DNP3 connection. |
|
dnp3_control |
DNP3 Control Relay Output Block and Pattern Control Block data. |
|
dnp3_object |
DNP3 Read Object data. |
|
flow |
An IP-layer network connection |
|
ftp |
A single FTP connection, both establishment and data transfer |
|
http |
A single HTTP request and response |
|
kerberos |
A single Kerberos request from any step of the process |
|
modbus |
A Modbus connection |
|
notice |
A notice from Zeek’s analysis scripts |
|
ntlm |
A single NTLM authentication attempt |
|
observation |
An event generated by the analytics backend based on a correlation of multiple events |
|
pe |
A portable executable (PE) file transferred over a connection |
|
rdp |
An attempted Windows RDP connection |
|
smb_file |
The transfer of one or more files using SMB |
|
smb_mapping |
The mapping of a networked resource using SMB |
|
smtp |
An SMTP message |
|
software |
An inference of software running on a host based on observed fields from other events |
|
ssh |
An attempted SSH connection |
|
ssl |
The creation of an encrypted channel using SSL or TLS |
|
suricata |
A match for a single Suricata query |
|
tunnel |
A single established tunnel |
|
x509 |
An observed x509 record |
Field types
Most fields are atomic, meaning they cannot be broken down further. However, FortiNDR Cloud fields can also be a structured object, either an object or an array. See Enriched object field types.
Fields in FortiNDR Cloud can be one of the following types.
| Field Type | Description | Example |
|---|---|---|
| int | An integer value (port, bytes, packets, etc.) | 1
|
| float | A decimal value (distance, entropy, etc.) | 1.0
|
| Boolean | true of false | True
|
| string | A sequence of arbitrary characters | hello world
|
| timestamp | A RFC3339 timestamp value | 2019-01-01T00:00:00.000Z
|
| ip | A single IP address or valid CIDR-notation | 8.8.8.8, 10.0.1.0/24 |
| object | An arbitrary JSON structure containing nested subfields | N/A |
| array | An array of values of the same type | N/A |
Enriched object field types
A field that is of type object simply means the field is actually a collection of sub-fields. Some of those sub-fields could also be another collection of sub-fields. Think of an object as a JSON block, or a dictionary for the Python users, or a map for the C/C++ users. Sub-fields are then referenced using dot notation, (for example, dst.geo.country).
Some object types are very common and are used over and over again, such as an ip-object. An ip-object refers to a field with the structure shown in the ip-object table. These field types are used throughout the different event types, so you should be familiar with them.
The following topics provide a description of each object field type and the sub-fields it contains:
IP-Objects
The following table describes the fields that contain enriched information for an IP address:
| Field | Type | Description | Example |
|---|---|---|---|
asn
|
asn-object | ASN information for the IP address | See table below |
$device
|
synthetic field | Enables querying devices by hostname or MAC address. Note: this field is only available for the src and dst fields. |
N/A |
geo
|
geo-object | Geographic information for the IP address | See table below |
internal
|
Boolean | Indicates whether the IP address is internal to the network | true
|
ip
|
ip | The IP address | 10.10.10.10
|
ip_bytes
|
int | The number of bytes transmitted by the IP address within the flow (only populated in Flow events) | 458 Bytes
|
pkts
|
int | The number of packets transmitted by the IP address within the flow (only populated in Flow events) | 8
|
port
|
int | The port used by the IP address | 52843
|
username
|
int | The user name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). | john.smith@fortinet.com
|
hostname
|
int | The host name from Zscaler used in device detections (only populated in DNS, Flow, HTTP, and SSL events). | F09NQJM1ABC
|
The asn field contains the following subfields.
| Field | Type | Description | Example |
|---|---|---|---|
asn
|
int | The Autonomous System Number | 16509
|
asn_org
|
string | The organization name associated with the ASN (they actually use the ASN) | Amazon.com, Inc.
|
isp
|
string | The upstream ISP for the ASN | Amazon.com
|
org
|
string | The upstream owner of the ASN - may differ from asn_org |
Amazon.com
|
The geo field contains the following subfields.
| Field | Type | Description | Example |
|---|---|---|---|
city
|
string | The city of record | Boardman
|
country
|
string | The country of record | US
|
location
|
object | The longitude and latitude of record | (45.8491,-119.7143)
|
subdivision
|
string | The segment of the country (states in the US) | OR
|
Back to Enriched object field types.
Domain-Objects
The following table describes the fields that contain enriched information for a domain:
| Field | Type | Description | Example |
|---|---|---|---|
domain
|
string | The domain | portal.fortindr.forticloud.com
|
domain_entropy
|
float | The computed Shannon entropy of the domain | 3.5
|
Back to Enriched object field types.
Host-Objects
Host-Objects fields contain enriched information for both IP addresses and domains because the field could be either one. For example an HTTP Host header or a DNS answer.
Host-Objects contain the combined sub-fields in:
Back to Enriched object field types.
URI-Objects
Fields that contain a URI are broken up into its different components.
| Field | Type | Description | Example |
|---|---|---|---|
fragment
|
string | The fragment identifier component | #
|
host
|
host-object | The content of the Host header | portal.fortindr.forticloud.com
|
params
|
object-array | The HTTP parameters as an array of key-value pairs | N/A |
path
|
string | The path of the requested resource | search
|
port
|
integer | The specified port | 443
|
query
|
string | The full parameter string | query=8.8.8.8&sort_dir=desc
|
scheme
|
string | The specified scheme | https
|
uri
|
string | The full URI | https://portal.fortindr.forticloud.com:443/search?query=8.8.8.8&sort_dir=desc#
|
URL-Objects
Fields that contain both a host-object and a uri-object are referred to as a url-object.
URL-Objects contain the combined sub-fields in:
Back to Enriched object field types.
File-Objects
File-Objects fields contain enriched information for an observed file.
| Field | Type | Description | Example |
|---|---|---|---|
bytes
|
int | The file's size in bytes | 145922
|
md5
|
string | The computed MD5 hash | 92a4d0aeede3ce110b4121342df48496
|
mime_type
|
string | The fingerprinted MIME-type | application/x-dosexec
|
name
|
string | The observed name | 2487ff63fb4e79.gif
|
sha1
|
string | The computed SHA1 hash | e63932430d4028b51fa25dae13d9e0188e9a02a5
|
sha256
|
string | The computed SHA256 hash | 227193160a2448dfa8bbbd2cf125afa9cca0d1a718b109a3adae5df8a24cdf6e
|
Back to Enriched object field types.
Email-Objects
Email-Objects fields contain an email address broken up into its different components.
| Field | Type | Description | Example |
|---|---|---|---|
domain
|
string | The domain | gmail.com
|
email
|
string | The entire email address | jdoe@gmail.com
|
name
|
string | The name | jdoe
|
Back to Enriched object field types.
Common fields
There are a handful of fields that appear in every event type. Some fields are for housekeeping, such as a unique identifier for every event or the sensor that created the event, while others are fundamental to network traffic, such as timestamps and source/destination IP addresses. Each of the following fields are contained in every event with a few exceptions documented in the table below.
| Field | Type | Description | Example |
|---|---|---|---|
account
|
string | The name of the account that owns the event | Training
|
customer_id
|
string | The code of the account that owns the event | chg
|
dst
|
ip-object | The responder to the connection | 8.8.8.8
|
flow_id
|
string | A unique identifier for a flow shared by all events produced from that particular flow | CtjvJR1nIzN4WFSuc7
|
geo_distance
|
float | The difference between src and dst geo values |
1410.373826280689
|
intel
|
intel-array | An array of intel-objects matching entities in the event | N/A |
sensor_id
|
string | The sensor that created the event | chg1
|
src
|
ip-object | The initiator of the connection | 10.10.10.10
|
timestamp
|
timestamp | The time at which traffic for the event began | 2019-01-01T00:00:00.000Z
|
uuid
|
string | A unique identifier for the event | 1ca116cb-9262-11e9-b5bf-02472fee9a4a
|
The intel field is an array of values of type intel-object. The table below lists the sub-fields contained within the intel field.
| Field | Type | Description | Example |
|---|---|---|---|
confidence
|
string | The overall confidence rating of the intel source | high
|
feed
|
string | The name of the intel source | Sinkholes
|
indicator
|
string | The matched entity | 131.253.18.12
|
indicator_type
|
string | The entity type | ip_address
|
is_malicious
|
Boolean | Indicates whether the indicator is believed to be malicious | false
|
meta
|
string | A JSON string of all metadata provided by the intel source | {"description":"Observed C2 Activity","references":["Fortinet FortiGuard Labs"]}
|
severity
|
string | The overall severity rating of the intel source | high
|
timestamp
|
timestamp | The creation time of the intel record | 2019-01-01T00:00:00.000Z
|
Exceptions to common fields
-
The
softwareevent type does not havesrcanddstfields because it is not extracted from raw network traffic. Instead, the record is inferred based on the contents of one or more fields. -
The
suricataevent type does not have aflow_idfield because it is generated by a completely different process than the other event types. You must matchsuricataevents to their associated flows using the IP address and ports of the event.
See also Common fields.
Event fields
The following topics describe the fields unique to each event type.
- DCE RPC fields
- DHCP fields
- DNS fields
- dnp3
- dnp3_control
- dnp3_object
- Flow fields
- FTP fields
- HTTP fields
- Kerberos fields
- Modbus fields
- Notice Fields
- NTLM fields
- Observation fields
- PE fields
- RDP fields
- SMB file fields
- SMB mapping fields
- SMTP fields
- Software fields
- SSH fields
- SSL fields
- Suricata fields
- Tunnel fields
- x509 fields
Flow fields
A flow event is created whenever packets with a unique combination of src.ip, src.port, dst.ip, dst.port, and proto are observed within a sufficient time frame.
The following table shows fields unique to the flow event type:
| Field | Type | Description | Example |
|---|---|---|---|
duration
|
float | The number of seconds the flow lasted | 7s
|
flow_state
|
string | Indicates how the connection started and ended, hover over a value to get an explanation of it | SF
|
proto
|
string | The transport layer protocol used | tcp
|
service
|
string | The application(s) observed in the flow, if any | http
|
total_ip_bytes
|
int | The total combined bytes transmitted over the connection | 927 bytes
|
total_pkts
|
int | The total combined packets transmitted over the connection | 11
|
upload_percent
|
int | The percentage of bytes transmitted by the src for the flow (56% == 56) | 56%
|
flow_state
The following table lists the different flow_state values and a brief description for each:
| flow_state | Description |
|---|---|
S0
|
Connection attempt seen, no reply. |
S1
|
Connection established, not terminated. |
SF
|
Normal establishment and termination. |
REJ
|
Connection attempt rejected. |
S2
|
Connection established and close attempt by originator seen (but no reply from responder). |
S3
|
Connection established and close attempt by responder seen (but no reply from originator). |
RSTO
|
Connection established, originator aborted (sent a RST). |
RSTR
|
Responder sent a RST. |
RSTOS0
|
Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder. |
RSTRH
|
Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. |
SH
|
Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was “half” open). |
SHR
|
Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. |
OTH
|
No SYN seen, just midstream traffic (a “partial connection” that was not later closed). |
DNS fields
A dns event is created when a client submits a DNS request to a server, and includes data from both the request and the response (if a response was observed).
The following table shows fields unique to the dns event type:
| Field | Type | Description | Example |
|---|---|---|---|
answers
|
host-object-array | The answers returned by the DNS server for the query | [103.2.116.79, 103.2.116.83]
|
proto
|
string | The transport layer protocol used | udp
|
qtype
|
int | The numeric code of the query type | 1
|
qtype_name
|
string | The string name of the query type | A
|
query
|
domain-object | The domain being queried | www.google.com
|
rcode
|
int | The numeric code of the result | 0
|
rcode_name
|
int | The string name of the result | NOERROR
|
rejected
|
Boolean | Indicates whether the query was rejected by the server | false
|
ttls
|
int-array | An array of TTL values, one per result | [299, 299]
|
dnp3
A DNP3 connection.
|
Field |
Type |
Description |
Example |
|---|---|---|---|
|
customer_id |
string |
The code of the account that owns the event |
chg |
|
dnp3_function_reply |
string |
The name of the function message in the reply. |
RESPONSE |
|
dnp3_function_request |
string |
The name of the function message in the request. |
CONFIRM |
|
dnp3_indication_number |
integer |
The response's "internal indication number". |
0 |
|
dst |
ip_enriched_with_port |
The responder to the connection |
8.8.8.8 |
|
event_type |
string |
The type of event recorded |
dnp3 |
|
flow_id |
string |
A unique identifier for a flow shared by all events produced from that particular flow |
CtjvJR1nIzN4WFSuc7 |
|
geo_distance |
number |
The difference between src and dst geo values |
1410.373826280689 |
|
intel |
intel[] |
Intel that matched entities in the event |
|
|
sensor_id |
string |
The sensor that created the event |
chg1 |
|
source |
string |
The source of the event |
Zeek |
|
src |
ip_enriched_with_port |
The initiator of the connection |
10.10.10.10 |
|
timestamp |
string |
The time at which traffic for the event began |
2019-01-01T00:00:00.000000Z |
|
uuid |
string |
A unique identifier for the event |
1ca116cb-9262-11e9-b5bf-02472fee9a4a |
dnp3_control
DNP3 Control Relay Output Block and Pattern Control Block data.
|
Field |
Type |
Description |
Example |
|---|---|---|---|
|
customer_id |
string |
The code of the account that owns the event |
chg |
|
dnp3_block_type |
string |
Control_Relay_Output_Block or Pattern_Control_Block |
Control Relay Output Block |
|
dnp3_execute_count |
integer |
Number of times to execute |
1 |
|
dnp3_function_code |
string |
Function code (SELECT, OPERATE, RESPONSE) |
SELECT |
|
dnp3_index_number |
integer |
Object index number |
0 |
|
dnp3_off_time |
integer |
Off time |
100 |
|
dnp3_on_time |
integer |
On time |
100 |
|
dnp3_operation_type |
string |
Null, Pulse_On, Pulse_Off, Latch_On, Latch_Off |
Latch On |
|
dnp3_status_code |
string |
Status code |
Success |
|
dnp3_trip_control_code |
string |
Null, Close, or Trip |
Null |
|
dst |
ip_enriched_with_port |
The responder to the connection |
8.8.8.8 |
|
event_type |
string |
The type of event recorded |
dnp3_control |
|
flow_id |
string |
A unique identifier for a flow shared by all events produced from that particular flow |
CtjvJR1nIzN4WFSuc7 |
|
geo_distance |
number |
The difference between src and dst geo values |
1410.373826280689 |
|
intel |
intel[] |
Intel that matched entities in the event |
|
|
is_orig |
boolean |
True if the packet is sent from the originator |
true |
|
sensor_id |
string |
The sensor that created the event |
chg1 |
|
source |
string |
The source of the event |
Zeek |
|
src |
ip_enriched_with_port |
The initiator of the connection |
10.10.10.10 |
|
timestamp |
string |
The time at which traffic for the event began |
2019-01-01T00:00:00.000000Z |
|
uuid |
string |
A unique identifier for the event |
1ca116cb-9262-11e9-b5bf-02472fee9a4a |
dnp3_object
DNP3 Read Object data.
|
Field |
Type |
Description |
Example |
|---|---|---|---|
|
customer_id |
string |
The code of the account that owns the event |
chg |
|
dnp3_function_code |
string |
Function code (READ or RESPONSE) |
RESPONSE |
|
dnp3_object_count |
integer |
DNP3 object type |
32-Bit Binary Counter |
|
dnp3_object_type |
string |
DNP3 object type |
32-Bit Binary Counter |
|
dnp3_range_high |
integer |
Range (high) of object |
9 |
|
dnp3_range_low |
integer |
Range (low) of object |
0 |
|
dst |
ip_enriched_with_port |
The responder to the connection |
8.8.8.8 |
|
event_type |
string |
The type of event recorded |
dnp3_object |
|
flow_id |
string |
A unique identifier for a flow shared by all events produced from that particular flow |
CtjvJR1nIzN4WFSuc7 |
|
geo_distance |
number |
The difference between src and dst geo values |
1410.373826280689 |
|
intel |
intel[] |
Intel that matched entities in the event |
|
|
is_orig |
boolean |
True if the packet is sent from the originator |
true |
|
sensor_id |
string |
The sensor that created the event |
chg1 |
|
source |
string |
The source of the event |
Zeek |
|
src |
ip_enriched_with_port |
The initiator of the connection |
10.10.10.10 |
|
timestamp |
string |
The time at which traffic for the event began |
2019-01-01T00:00:00.000000Z |
|
uuid |
string |
A unique identifier for the event |
1ca116cb-9262-11e9-b5bf-02472fee9a4a |
HTTP fields
An http event is created when a client submits an HTTP request to a server, and includes data from both the request and response (if the response was observed).
The following table shows fields unique to the http event type:
| Field | Type | Description | Example |
|---|---|---|---|
files
|
file-object-array | Files downloaded over the HTTP connection | N/A |
headers.accept
|
string-array | The content of the Accept header | [image/webp, image/apng, image/*, */*;q=0.8]
|
headers.content_md5
|
string | The computed MD5 hash of the headers content | d41d8cd98f00b204e9800998ecf8427e
|
headers.content_type
|
string-array | The contents of the Content Type header | [text/xml; charset="utf-8"]
|
headers.cookie_length
|
int | The length of the cookie in bytes | 194
|
headers.location
|
url-object | The content of the Location header | http://amupdatedl3.microsoft.com/server/amupdate/metadata/UniversalManifest.cab
|
headers.origin
|
url-object | The content of the Origin header | http://go.com
|
headers.proxied_ip_clients
|
ip-object-array | The sequence of IPs the HTTP connection is proxied through | [172.16.0.1, 172.16.0.2]
|
headers.refresh.refresh
|
string | The full content of the Refresh header | 1;URL=http://travelingtravelerhome.wordpress.com/
|
headers.refresh.timeout
|
int | The timeout period in seconds | 1
|
headers.refresh.uri
|
uri-object | The URI of the Refresh header | http://travelingtravelerhome.wordpress.com/
|
headers.server
|
string | The web server software | Microsoft-IIS/6.0
|
headers.x_powered_by
|
string | The application software running on the server | ASP.NET
|
host
|
host-object | The content Host header | www.google.com
|
info_msg
|
string | The message returned with a 100-level response code | Continue
|
method
|
string | The HTTP method selected | GET
|
proxied
|
string-array | A list of proxy steps | PROXY-CONNECTION -> Keep-Alive
|
referrer
|
url-object | The content of the Referrer header | http://au.search.yahoo.com/search?p=planetside.co.uk&fr=sfp&fr2=sb-top-search
|
request_len
|
int | The length in bytes of the request | 0
|
request_mime
|
string | The fingerprinted MIME-type(s) of the request content (deprecated) | text/plain
|
request_mimes
|
string-array | The fingerprinted MIME-type(s) of the request content, use instead of request_mime |
text/plain
|
response_len
|
int | 24 | The length in bytes of the response
|
response_mime
|
string | The fingerprinted MIME-type of the response content (deprecated) | text/html
|
response_mimes
|
string-array | The fingerprinted MIME-type of the response content, use instead of response_mime |
text/html
|
status_code
|
int | The numeric code of the server's response | 200
|
status_msg
|
string | The string name of the server's response | OK
|
trans_depth
|
int | The depth of redirects | 4
|
uri
|
uri-object | The full URI of the request | /index.php
|
user_agent
|
string | The content of the UserAgent header | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
|
username
|
string | The username used with Basic Auth, if any | dave
|
SMTP fields
An smtp event is created when a client transmits an SMTP message to a server.
The following table shows fields unique to the smtp event type:
| Field | Type | Description | Example |
|---|---|---|---|
date
|
string | The content of the Date header | Thu, 12 Jul 2015 17:59:01 -0400 (EDT)
|
files
|
file-object-array | An array of the files attached to the email | N/A |
first_received
|
string | The full content of the first Received header | from JIM@GMAIL.COM ([198.51.100.1]) by SALLY@GMAIL.COM ([101.9.210.120]) with mapi id 14.01.1039.013; Thu, 12 Jul 2015 18:09:44 -0500
|
from
|
email-object | The content of the From header | jdoe@gmail.com
|
helo
|
host-object | The argument supplied to the HELO command | client.example.com
|
in_reply_to
|
string | The Message-ID in the In-Reply-To header | <b8bba2baae4c2a08fdff4e223458577d@gmail.com>
|
is_webmail
|
Boolean | Indicates whether the message was sent through a webmail interface | true
|
last_reply
|
string | The last message the server sent to the client | 250 Message accepted for delivery
|
mailfrom
|
string | The argument supplied to the MAIL FROM command | support@acme.corp
|
msg_id
|
string | The Message-ID of the message | <b8bba2baae4c2a08fdff4e223458577d@gmail.com>
|
path
|
ip-object-array | The message transmission path extracted from the Received headers | [192.161.0.200, 204.148.78.113]
|
rcptto
|
string | The argument supplied to the RCPT TO command | jdoe@gmail.com
|
reply_to
|
email-object | The content of the Reply-To header | jdoe@gmail.com
|
second_received
|
string | The content of the second Received header | from JIM@GMAIL.COM ([198.51.100.1]) by SALLY@GMAIL.COM ([101.9.210.120]) with mapi id 14.01.1039.013; Thu, 12 Jul 2015 18:09:44 -0500
|
subject
|
string | The content of the Subject header | Click this link!
|
tls
|
Boolean | Indicates whether the connection switched to using TLS | true
|
to
|
email-object-array | The content of the To header | [jdoe@gmail.com, kdoe@gmail.com]
|
trans_depth
|
int | The depth of this message transaction where multiple messages were transferred in a single connection | 1
|
urls
|
string-array | A list of URLs extracted from the message | [http://malware.pwn//root.ps1, https://www.google.com]
|
user_agent
|
string | The content of the client's User-Agent header | SquirrelMail/1.4.22
|
x_originating_ip
|
ip-object | The content of the X-Originating-IP header | 8.8.8.8
|
RDP fields
An rdp event is created when a client attempts to connect to a server using RDP.
|
Authentication cannot always be determined as the necessary data may be encapsulated within an encrypted tunnel. Therefore, the |
The following table shows fields unique to the rdp event type:
| Field | Type | Description | Example |
|---|---|---|---|
cert_count
|
int | The number of certificates seen | 0
|
cert_permanent
|
Boolean | Indicates if the provided certificate or certificate chain is permanent | True
|
cert_type
|
string | The type of certificate used if the connection is encrypted with native RDP encryption | RSA
|
client_build
|
string | The client RDP version | RDP 5.1
|
client_dig_product_id
|
string | The client product ID | 715e03e8-6eef-4c53-b022-rbcd967
|
client_name
|
string | The client hostname | bob-PC
|
cookie
|
string | The truncated account name used by the client | bob
|
desktop_height
|
int | The client desktop height | 1080
|
desktop_width
|
int | The client desktop width | 1920
|
encryption_level
|
string | The encryption level used | Client compatible
|
encryption_method
|
string | The encryption method used | 128bit
|
keyboard_layout
|
string | The client keyboard layout (language) | English -United States
|
requested_color_depth
|
string | The color depth requested by the client in the high_color_depth field | 32bit
|
result
|
string |
The result for the connection, derived from a mix of RDP negotiation failure messages and GCC server create response messages |
Succeed
|
security_protocol
|
string | Security protocol chosen by the server | RDP
|
SSL fields
An ssl event is created when a client attempts to establish an encrypted channel with a server using SSL/TLS.
The following table shows fields unique to the ssl event type:
| Field | Type | Description | Example |
|---|---|---|---|
cipher
|
string | The cipher suite selected by the server | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
client_issuer
|
string | The Issuer field of the client's certificate | CN=Google Internet Authority G2,O=Google Inc,C=US
|
client_subject
|
string | The Subject field of the client's certificate | CN=*.google.com,O=Google Inc
|
issuer
|
string | The Issuer field of the server's certificate | CN=Google Internet Authority G2,O=Google Inc,C=US
|
ja3
|
string | The computed JA3 hash for the client | 4d7a28d6f2263ed61de88ca66eb011e3
|
ja3s
|
string | The computed JA3 hash of the server | 4d7a28d6f2263ed61de88ca66eb011e3
|
server_name
|
string | The Server Name Indication set by the client (deprecated) | www.google.com
|
server_name_indication
|
domain-object | The enriched Server Name Indication set by the client | www.google.com
|
session_id
|
string | The ID used for session resumption (deprecated) | N/A |
subject
|
string | The Subject field of the server's certificate | CN=*.google.com,O=Google Inc
|
validation_status
|
string | Result of certificate validation for this connection (deprecated) | Success
|
version
|
string | The SSL/TLS version being used (period omitted) | TLSv10
|
x509 fields
An x509 event is created when an X.509 certificate is observed over a connection, such as establishing an SSL connection or encrypting an RDP session.
The following table shows fields unique to the x509 event type:
| Field | Type | Description | Example |
|---|---|---|---|
ca_constraints
|
Boolean | Indicates whether the CA flag is set | False
|
ca_constraints_len
|
int | The maximum path length | 10
|
cert_id
|
string | The file ID of the certificate | FNbDqq2ZxjNk10D7ie
|
issuer
|
string | The content of the Issuer field | O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
|
key_len
|
int | The length of the key | 2048
|
key_type
|
string | The type of key used | rsa
|
san_dns
|
host-array | The list of DNS entries in the SAN | [*.outlook.com, *.office365.com]
|
san_email
|
email-array | The list of email entries in the SAN | [dave@email.corp]
|
san_ip
|
ip-array | The list of IP entries in the SAN | [169.254.1.1]
|
san_uri
|
uri-array | The list of URI entries in the SAN | [https://169.254.1.1]
|
serial
|
string | The serial number of the certificate | E3BD4F4F884EADDA
|
subject
|
string | The content of the Subject field | O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
|
valid_end
|
timestamp | The time before the certificate became valid | 2018-01-11T14:35:34.000Z
|
valid_start
|
timestamp | The time once the certificate becomes invalid | 2018-01-11T14:35:34.000Z
|
version
|
string | The X.509 version | 3
|
SSH fields
An ssh event is created when a client attempts to connect to a server using SSH.
|
|
Authentication cannot be accurately determined because the necessary data is encapsulated within the encrypted tunnel. Therefore, the |
The following table shows fields unique to the ssh event type:
| Field | Type | Description | Example |
|---|---|---|---|
auth_success
|
Boolean |
The inferred authentication result |
True
|
cipher_alg
|
string | The encryption algorithm used | aes128-ctr
|
client
|
string | The client version string | SSH-2.0-OpenSSH_7.6
|
compression_alg
|
string | The compression algorithm used | none
|
direction
|
string | The direction of the connection, Outbound if the client was a local host logging into an external host and Inbound in the opposite situation |
Inbound
|
host_key
|
string | The server fingerprint | a1:a2:79:80:6d:b1:77:82:d8:6c:aa:ee:25:19:23:42
|
host_key_alg
|
string | The server's key algorithm. | ssh-rsa
|
kex_alg
|
string | The key exchange algorithm used | ecdh-sha2-nistp256
|
mac_alg
|
string | The signing (MAC) algorithm used | hmac-sha1
|
server
|
string | The server version string | SSH-2.0-OpenSSH_7.4
|
ssh_version
|
int | The SSH major version (1 or 2) | 2
|
FTP fields
An ftp event is created when a client connects to a server using FTP, and includes both the command and data channels.
The following table shows fields unique to the ftp event type:
| Field | Type | Description | Example |
|---|---|---|---|
data_channel.dst
|
ip-object | The destination of the data channel | 10.0.0.2
|
data_channel.geo_distance
|
float | The distance (in miles) between the IP addresses of the data channel | 5077.89
|
data_channel.passive
|
Boolean | Indicates whether the session is in passive mode | True
|
data_channel.src
|
ip-object | The source of the data channel | 10.0.0.10
|
files
|
file-array | Files transferred over the session | N/A |
ftp_arg
|
string | The full argument string supplied to the command | ftp://10.0.0.2/secrets.zip
|
ftp_command
|
string | The client command | RETR
|
reply_code
|
int | The server response code to the command | 227
|
reply_msg
|
string | The server response string to the command | Entering Passive Mode (10,0,0,2,197,36)
|
username
|
string | The username used to establish the connection | Admin101
|
Tunnel fields
A tunnel event is created when a tunnel is established between a client and a server.
The following table shows fields unique to the tunnel event type:
| Field | Type | Description | Example |
|---|---|---|---|
tunnel_action
|
string | The action taken on the tunnel | Tunnel::DISCOVER
|
tunnel_type
|
string | The protocol/application running over the tunnel | Tunnel::HTTP
|
DHCP fields
A dhcp event is created when a client requests a DHCP lease or when a lease is acknowledged.
The following table shows fields unique to the dhcp event type:
| Field | Type | Description | Example |
|---|---|---|---|
assignment
|
ip-object | The IP assigned to the client | 10.0.0.10
|
dhcp_msg_type
|
string | Shows whether a lease is being requested or acknowledged | Request
|
hostname
|
string | The client hostname | bob-pc
|
lease_duration
|
float | Number of seconds that the lease is valid | 1800
|
lease_end
|
timestamp | The time at which the lease expires | 2019-06-24T07:31:35.012Z
|
mac
|
string | The client MAC address | 00:30:67:f1:2d:63
|
trans_id
|
int | The transaction ID, ties together requests and acknowledgments. | 1191705957
|
Kerberos fields
A kerberos event is created when a client uses Kerberos to authenticate.
The following table shows fields unique to the kerberos event type:
| Field | Type | Description | Example |
|---|---|---|---|
cipher
|
string | The cipher suite used to encrypt the ticket | aes256-cts-hmac-sha1-96
|
client
|
string | The client that requested the ticket; machine accounts have a $ at the end of their name but user accounts do not. |
jane.doe/ACME.CORP, financewks008$/ACME.CORP |
client_cert_fuid
|
string | Client certificate file unique ID | Xbtku3TdsfdsdfasdfA8VNsk
|
client_cert_subject
|
string | Client certificate Subject field | CN=C865433
|
error_msg
|
string | The error message returned for failed requests | KDC_ERR_CLIENT_NAME_MISMATCH
|
forwardable
|
Boolean | Indicates whether the ticket's forwardable flag is set | True
|
renewable
|
Boolean | Indicates whether the ticket's renewable flag is set | True
|
request_type
|
string | The type of ticket requested, either a ticket-granting ticket from the authentication server (AS) or a service ticket from the ticket-granting server (TGS) | AS, TGS |
server_cert_fuid
|
string | Server certificate file unique ID | FvAdJGsjeXuhSvE9m
|
server_cert_subject
|
string | Server certificate Subject field | CN=dc09.google.com
|
service
|
string | The service for which a ticket is being requested | krbtgt/ACME.CORP
|
success
|
Boolean | Indicates whether the request was successful | True
|
ticket_duration
|
float | The ticket duration in seconds | 86400
|
ticket_from
|
timestamp | Time the ticket is good from | 2015-09-13T02:48:05.000Z
|
ticket_till
|
timestamp | Time the ticket is good until | 2037-09-13T02:48:05.000Z
|
NTLM fields
An ntlm event is created when a client uses NTLM to authenticate to a server.
The following table shows fields unique to the ntlm event type:
| Field | Type | Description | Example |
|---|---|---|---|
auth_domain
|
string | The domain used to authenticate the client | ACME
|
hostname
|
string | The client hostname used | FINANCEWKS008
|
ntlm_status
|
string | String indicating the result of the authentication | SUCCESS
|
success
|
Boolean | Indicates whether the authentication succeeded | True
|
username
|
string | The client username used | sqlservice
|
SMB file fields
An smb_file event is created when a file is transferred over the network through the use of SMB. This event type includes extra fields related MACB timestamps and file paths in addition to the file-object fields because SMB includes file metadata during the transfer.
The following table shows fields unique to the smb_file event type:
| Field | Type | Description | Example |
|---|---|---|---|
files
|
file-array | Files transferred over the SMB connection | N/A |
files.accessed_timestamp
|
timestamp | The last time the file was accessed | 2018-04-08T22:48:07.958Z
|
files.changed_timestamp
|
timestamp | The last time the file's metadata changed | 2018-04-08T22:48:07.958Z
|
files.created_timestamp
|
timestamp | The time the file was created | 2018-04-08T22:48:07.958Z
|
files.modified_timestamp
|
timestamp | The last time the file's content changed | 2018-04-08T22:48:07.958Z
|
files.name
|
string | The post-transfer name of the file (can be renamed before writing to disk) | secrets.zip
|
files.previous_name
|
string | The pre-transfer name of the file | exfil.zip
|
files.smb_path.path
|
string | The full network path to the target share | \\DYNACCOUNTIC-DC.dynaccountic.com\sysvol
|
files.smb_path.share
|
string | The target network share | sysvol
|
files.smb_path.system
|
string | The target host | DYNACCOUNTIC-DC.dynaccountic.com
|
smb_action
|
string | The action taken on the files | SMB::FILE_OPEN
|
SMB mapping fields
An smb_mapping event is created when a client attempts to interact with a network share via SMB. This includes both disk and pipe shares.
The following table shows fields unique to the smb_mapping event type:
| Field | Type | Description | Example |
|---|---|---|---|
native_file_system
|
string | The file system type on the target host (for Disk shares) | NTFS
|
share_type
|
string | The type of share established | DISK
|
smb_path.path
|
string | The full network path to the target share | \\DYNACCOUNTIC-DC.dynaccountic.com\sysvol
|
smb_path.share
|
string | The target network share | sysvol
|
smb_path.system
|
string | The target host | DYNACCOUNTIC-DC.dynaccountic.com
|
smb_service
|
string | The service used to establish a connection to the share | IPC
|
DCE RPC fields
A dce_rpc event is created when one host executes a DCE/RPC command against another host.
The following table shows fields unique to the dce_rpc event type:
| Field | Type | Description | Example |
|---|---|---|---|
dce_rpc_endpoint
|
string | The remote service targeted by the command | samr
|
dce_rpc_operation
|
string | The command submitted to the remote service | SamrOpenDomain
|
named_pipe
|
string | The name of the target pipe (or the destination port if not named | \pipe\lsass
|
round_trip_time
|
float | The time in seconds between command execution and results returned | 0.01
|
PE fields
A pe event is created when a portable executable (PE) file or object is transferred over a connection.
The following table shows fields unique to the pe event type:
| Field | Type | Description | Example |
|---|---|---|---|
compile_timestamp
|
timestamp | The compile timestamp extracted from the file | 2015-11-12T10:23:51.000Z
|
file
|
file-object | The enriched file properties (hashes, size, MIME-type) | N/A |
has_cert_table
|
Boolean | Indicates whether the file has an attribute certificate table | True
|
has_debug_data
|
Boolean | Indicates whether the file has a debug table | True
|
has_export_table
|
Boolean | Indicates whether the file has an export table | True
|
has_import_table
|
Boolean | Indicates whether the file has an import table | True
|
id
|
string | An internal unique identifier for the file | FrkSk6Y0mqKGxMBF6
|
is64_bit
|
Boolean | Indicates whether the file is 64-bit | True
|
is_exe
|
Boolean | Indicates whether the file is executable or just an object | True
|
machine
|
string | The architecture the file was compiled for | I386
|
os
|
string | The OS the file was compiled for | Windows XP
|
section_names
|
string-array | An array of section names extracted from the file | [.text, .rdata, .data, .rsrc]
|
subsystem
|
string | The subsystem the file was compiled for | WINDOWS_GUI
|
uses_aslr
|
Boolean | Indicates whether the file supports ASLR | True
|
uses_code_integrity
|
Boolean | Indicates whether the file enforces code integrity checks | True
|
uses_dep
|
Boolean | Indicates whether the file supports DEP | True
|
uses_seh
|
Boolean | Indicates whether the file uses SEH | True
|
Suricata fields
A suricata event is created when a Suricata query fires on a sensor. Queries from the ET Open query-set are included by default on all sensors.
|
|
Suricata runs independently from the metadata extraction process, and thus is not tied to |
The following table shows fields unique to the suricata event type:
| Field | Type | Description | Example |
|---|---|---|---|
payload
|
byte-array | The raw payload from the traffic that matched the query | N/A |
proto
|
string | The transport layer protocol used | tcp
|
sig_category
|
string | The query's category | A Network Trojan was Detected
|
sig_id
|
int | The query's ID | 2024290
|
sig_name
|
string | The query's name | ET TROJAN Jaff Ransomware Checkin M1
|
sig_rev
|
float | The query's revision number | 2
|
sig_severity
|
int | The query's severity rating (1 = high, 3 = low) | 1
|
Software fields
A software event is created when sufficient data is observed to fingerprint software running on a host. Such data could include a User-Agent string or a client version string.
|
|
Software events do not have a |
The following table shows fields unique to the software event type.
| Field | Type | Description | Example |
|---|---|---|---|
host
|
ip-object | The host from which the software was observed | 10.0.0.10
|
software_name
|
string | The name of the observed software | Wget
|
software_type
|
string | The category of the observed software | HTTP::BROWSER
|
software_version.additional
|
string | Arbitrary notes about the software | linux-gnu
|
software_version.major
|
int | The major version number | 1
|
software_version.minor
|
int | The first minor version number | 19
|
software_version.minor2
|
int | The second minor version number | 1
|
software_version.minor3
|
int | The third minor version number | 0
|
software_version.version
|
string | The full version string | Wget/1.19.1 (linux-gnu)
|
software_version.version_number
|
string | The full version number | 1.19.1
|
Observation fields
An observation event is created when the FortiNDR Cloud analytics backend identifies a correlation of information of interest. See below for valid values for the following fields:
|
You can view the list of observations in the Observations widget in the Default Dashboard . For more information, see:
|
|
|
Observations run independently from the metadata extraction process, and are not tied to |
The following table shows fields unique to the observation event type.
| Field | Type | Description | Example |
|---|---|---|---|
evidence_end_timestamp
|
timestamp | The timestamp for which the flagged activity ended. |
|
evidence_iql
|
string | An IQL statement that attempts to identify the events used to generate the observation. |
|
evidence_start_timestamp
|
timestamp | The timestamp for which the flagged activity began. |
|
observation_category
|
string | The subject of an observation. |
|
observation_class
|
string | The class of what was observed about the subject. |
|
observation_confidence
|
string | The confidence in the model output to what was attempted to be observed. |
|
observation_title
|
string | The title of what was attempted to be detected - similar to a suricata sig name. |
|
observation_uuid
|
string | A unique identifier for the model used to generate the observation. Multiple models may exist for the same title. |
|
sensor_ids
|
string array | A list of sensors from which activity was used as part of the observation. |
|
Notice Fields
| Field | Type | Description | Example |
|---|---|---|---|
|
application |
application |
The classified application for a flow |
|
|
customer_id |
string |
The code of the account that owns the event |
|
|
dst_ip |
string |
The IP of the responder to the connection |
|
|
dst_ip_enrichments |
ip_enrichments |
Enrichments for an IP |
|
|
dst_port |
integer |
The port of the responder to the connection |
|
|
event_type |
string |
The type of event recorded |
|
|
file_desc |
string |
Description of a file to provide more context. For example, if a notice was related to a file over HTTP, the URL of the request would be shown. |
|
|
file_mime_type |
string |
If the notice event is related to a file, this will be the mime type of the file. |
|
|
flow_id |
string |
A unique identifier for a flow shared by all events produced from that particular flow |
|
|
fuid |
string |
A file unique ID if this notice is related to a file. |
|
|
geo_distance |
number |
The difference between `src` and `dst` geo values |
|
|
intel |
intel |
Intel that matched entities in the event |
|
|
msg |
string |
Description of activity noticed. |
|
|
n |
integer |
Associated count, or perhaps a status code. |
|
|
note |
string |
Notice type |
|
|
notice_actions |
string |
The actions which have been applied to this notice. |
|
|
peer_descr |
string |
Textual description for the peer that raised this notice, including name, host address and port. |
|
|
proto |
string |
The transport protocol. |
|
|
sensor_id |
string |
The sensor that created the event |
|
|
source |
string |
The source of the event |
|
|
src_ip |
string |
The IP of the initiator of the connection |
|
|
src_ip_enrichments |
ip_enrichments |
Enrichments for an IP |
|
|
src_port |
integer |
The port of the initiator of the connection |
|
|
sub |
string |
Technical details of the activity. |
|
|
suppress_for |
number |
This field indicates the length of time that this unique notice should be suppressed. |
|
|
tag |
string |
| The type of event |
|
|
timestamp |
string |
The time at which traffic for the event began |
|
|
uuid |
string |
A unique identifier for the event |
|
Modbus fields
|
Field |
Type |
Description |
Example |
|---|---|---|---|
|
customer_id |
string |
The code of the account that owns the event |
chg |
|
dst |
ip_enriched_with_port |
The responder to the connection |
8.8.8.8 |
|
event_type |
string |
The type of event recorded |
modbus |
|
flow_id |
string |
A unique identifier for a flow shared by all events produced from that particular flow |
CtjvJR1nIzN4WFSuc7 |
|
geo_distance |
number |
The difference between src and dst geo values |
1410.373826280689 |
|
intel |
intel[] |
Intel that matched entities in the event |
|
|
is_orig |
boolean |
|
true |
|
modbus_address |
integer |
Starting address of value(s) field. |
|
|
modbus_function |
string |
The name of the function message that was sent. |
READ_INPUT_REGISTERS |
|
modbus_quantity |
integer |
Number of addresses/values read or written to. |
|
|
modbus_request_response |
string |
REQUEST or RESPONSE |
|
|
modbus_tid |
integer |
Modbus transaction identifier |
|
|
modbus_unit |
integer |
Modbus terminal unit identifier. |
|
|
modbus_values |
string[] |
Value(s) of coils, discrete_inputs, or registers read/written to. |
555,0,100 |
|
sensor_id |
string |
The sensor that created the event |
chg1 |
|
source |
string |
The source of the event |
Zeek |
|
src |
ip_enriched_with_port |
The initiator of the connection |
10.10.10.10 |
|
timestamp |
string |
The time at which traffic for the event began |
2019-01-01T00:00:00.000000Z |
|
uuid |
string |
A unique identifier for the event |
1ca116cb-9262-11e9-b5bf-02472fee9a4a |