DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

User Guide

FortiSIEM User Guide
TABLE OF CONTENTS
Overview
FortiSIEM Releases
- What's New in 7.1.0
- What's New in 7.0.4
- What's New in 7.0.3
- What's New in 7.0.2
- What's New in 7.0.1
- What's New in 7.0.0
Windows Agent Releases
Content Pack Updates
Key Concepts
Getting Started
Advanced Operations
- CMDB
- Incidents and Cases
- Device Support
- Rules, Reports, and Dashboards
- Advanced Health System
- Managing FortiSIEM
Administration
- Setup
- Device Support
- Health
- License
- Content Update
- Settings
Managing CMDB
- Devices
- Applications
- Users
- Business Services
- CMDB Reports
Managing Resources
- Reports
  - Viewing System Reports
  - Running System Reports
  - Creating New Reports
  - Working With Report Templates
  - Scheduling Reports
  - Importing and Exporting Reports
  - Importing and Exporting Report Definitions
- Rules
  - Viewing Rules
  - Creating Rules
  - Activating and Deactivating a Rule
  - Testing a Rule
  - Exporting and Importing a Rule Definitions
- Networks
  - Adding a Network
  - Modifying a Network
  - Deleting a Network
- Watch Lists
  - System-defined Watch list
  - Creating a Watch List
  - Modifying a Watch List
  - Using a Watch List
  - Exporting and Importing Watch Lists
- Protocols
  - Adding a Protocol
  - Modifying a Protocol
  - Deleting a Protocol
- Event Types
  - Adding an Event Type
  - Modifying an Event Type
  - Deleting an Event Type
- Working with AlienVault OTX
- Working with Dragos IOCs
- Working with FortiGuard IOCs
- Working with Malware Patrol
- Working with ThreatConnect
- Malware Domains
  - Adding a Malware Domain
  - Modifying a Malware Domain
  - Deleting a Malware Domain
  - Importing Malware Domains
  - Viewing Malware Domains
    - Working with Custom Threat Feeds that use HTTPS Connectivity
- Malware IPs
  - Adding a Malware IP
  - Modifying a Malware IP
  - Deleting a Malware IP
  - Importing Malware IPs
  - Viewing Malware IPs
- Malware URLs
  - Adding a Malware URL
  - Modifying a Malware URL
  - Deleting a Malware URL
  - Importing Malware URLs
  - Viewing Malware URLs
- Malware Processes
  - Creating a Malware Process Group
  - Adding a Malware Process
  - Modifying a Malware Process
  - Deleting a Malware Process
  - Importing Malware Processes
  - Viewing Malware Processes
- Country Groups
  - Creating a Country Group
  - Adding a Country Group
  - Modifying a Country Group
  - Deleting a Country Group
  - Changing the Home Country
- Malware Hash
  - Adding a Malware Hash
  - Modifying a Malware Hash
  - Importing/Updating User-defined Malware Hash
  - Viewing Malware Hash
- Default Password
  - Adding a Default Password
  - Modifying a Default Password
  - Importing and Exporting a Default Password
- Anonymity Network
  - Adding Anonymity Networks
  - Modifying Anonymity Networks
  - Updating Anonymity Networks
- User Agents
  - Adding User Agents
  - Modifying User Agents
  - Importing and Exporting User Agents
- Remediations
  - Adding Remediations
  - Modifying Remediations
  - Deleting Remediations
- Lookup Tables
  - Adding a Lookup Table
  - Deleting a Lookup Table
  - Working with Lookup Table Data
- Playbooks
  - Viewing Playbooks
  - Updating Playbooks
- Connectors
  - Viewing Connectors
  - Updating Connectors
- Machine Learning Jobs
  - Viewing Machine Learning Jobs
  - Editing a Machine Learning Job
  - Deleting a Machine Learning Job
- Osquery
  - Viewing osquery Templates
  - Creating osquery Templates
Working with Cases
- Creating a Ticket
- Editing a Ticket
- Managing Cases
Working with Incidents
- Overview View
- List View
- Risk View
- Explorer View
- MITRE ATT&CK View
- UEBA View
- Investigating Incidents
- Automated Incident Resolution Recommendation
- Lookups Via External Websites
- CVE-Based IPS False Positive Analysis
- Remediating an Incident using a Script
- Executing a Playbook on an Incident
- Running a Connector on an Incident
- Troubleshooting Incident Trigger
Working with Analytics Search
- Running a Built-in Search
- Understanding Search Components
- New Query Functions
- Viewing Historical Search Results
- Viewing Real-time Search Result
- Using Nested Queries
- Searches Using Pre-computed Results
- Saving Search Results
- Viewing Saved Search Results, Loading Reports and Shortcuts
- Exporting Search Results
- Emailing Search Results
- Creating a Rule from Search
- Copying Filter and Time Range Tab Information
- Executing a Playbook
- Running a Connector
Machine Learning
- Overview
- Anomaly Detection
- Classification
- Clustering
- Forecasting
- Regression
Working with Dashboards
- General Operations
- Widget Dashboard
- Summary Dashboard
- Business Service Dashboard
- Identity and Location Dashboard
- Interface Usage Dashboard
- PCI Logging Status Dashboard
Managing Tasks
Fortinet Advisor
FortiSIEM Manager
- FortiSIEM Manager Incidents
  - FortiSIEM Manager Incidents Overview View
  - FortiSIEM Manager Incidents - List View
- FortiSIEM Manager CMDB Users
  - FortiSIEM Manager CMDB Adding Users
  - FortiSIEM Manager - Editing User Information
- FortiSIEM Manager Resources
- FortiSIEM Manager Admin
Appendix
- Administrative Tools and Information
- ClickHouse Usage Notes
- Configuration Notes
- Elasticsearch Usage Notes
- Examples of Custom Performance Monitors
- FortiEMS Endpoint Tagging
- GUI Notes
  - Flash to HTML5 GUI Mapping
  - FortiSIEM Charts and Maps
- FortiSOAR Integration Notes
  - Configuring FortiSOAR for FortiSIEM Integration
  - Writing FortiSIEM Compatible FortiSOAR Playbooks
- Functions in Analytics
- Knowledge Base
- License Enforcement
- Parser Specification
- Python Threat Feed Framework
- UEBA Information

Home FortiSIEM 7.1.0 User Guide

7.1.0

FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM forwards externally received logs and internally generated events/incidents to an external system via CEF formatted syslog.

FortiSIEM Event Attribute to CEF Key Mappings

FortiSIEM event attributes	CEF key	Notes
appCategory	cat
appTransportProto	app
count	cnt
destAction	act
destDomain	destinationDnsDomain
destIntfName	deviceOutboundInterface
destIpAddr	destinationTranslated Address
destIpAddr	dst
destIpPort	destinationTranslatedPort
destIpPort	dpt
destMACAddr	dmac
destName	dhost
destServiceName	destinationServiceName
destUser	duser
destUserId	duid
destUserPriv	dpriv
deviceIdentification	deviceExternalId
deviceTime	rt
domain	deviceDnsDomain
endTime	end
errReason	reason
extEventId	externalId
fileAccess	filePermission
fileId	fileId
fileModificationTime	fileModificationTime
fileName	fname
filePath	filePath
fileSize	fsize
fileType	fileType
hashCode	fileHash
hostIpAddr	dvc
hostMACAddr	dvcmac
hostName	dvchost
httpCookie	requestCookies
httpMethod	requestMethod
httpReferrer	requestContext
httpUserAgent	requestClientApplication
infoURL	request
ipProto	proto
msg	msg
postNATHostIpAddr	deviceTranslatedAddress
postNATSrcIpAddr	sourceTranslatedAddress
postNATSrcIpPort	sourceTranslatedPort
procId	dvcpid
procName	deviceProcessName
recvBytes	in
sentBytes	out
serviceName	sourceServiceName
srcDomain	sourceDnsDomain
srcIntfName	deviceInboundInterface
intfName	deviceInboundInterface
srcIpAddr	src
srcIpPort	spt
srcMACAddr	smac
srcName	shost
srcUser	suser
srcUserPriv	spriv
startTime	start
targetProcId	dpid
targetProcName	dproc

Mapping to CEF Custom Attributes

FortiSIEM event attributes	CEF key	Notes
supervisorName	cs1Label = SupervisorHostName
customer	cs2Label = CustomerName
incidentDetail	cs3Label=IncidentDetail
ruleName	cs4Label=RuleName
inIncidentEventIdList	cs5Label=IncidentEventIDList
phCustId	cn1Label=CustomerID
incidentId	cn2Label=IncidentID

	type	0 = base event; 2 = incident

FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM forwards externally received logs and internally generated events/incidents to an external system via CEF formatted syslog.

FortiSIEM Event Attribute to CEF Key Mappings

FortiSIEM event attributes	CEF key	Notes
appCategory	cat
appTransportProto	app
count	cnt
destAction	act
destDomain	destinationDnsDomain
destIntfName	deviceOutboundInterface
destIpAddr	destinationTranslated Address
destIpAddr	dst
destIpPort	destinationTranslatedPort
destIpPort	dpt
destMACAddr	dmac
destName	dhost
destServiceName	destinationServiceName
destUser	duser
destUserId	duid
destUserPriv	dpriv
deviceIdentification	deviceExternalId
deviceTime	rt
domain	deviceDnsDomain
endTime	end
errReason	reason
extEventId	externalId
fileAccess	filePermission
fileId	fileId
fileModificationTime	fileModificationTime
fileName	fname
filePath	filePath
fileSize	fsize
fileType	fileType
hashCode	fileHash
hostIpAddr	dvc
hostMACAddr	dvcmac
hostName	dvchost
httpCookie	requestCookies
httpMethod	requestMethod
httpReferrer	requestContext
httpUserAgent	requestClientApplication
infoURL	request
ipProto	proto
msg	msg
postNATHostIpAddr	deviceTranslatedAddress
postNATSrcIpAddr	sourceTranslatedAddress
postNATSrcIpPort	sourceTranslatedPort
procId	dvcpid
procName	deviceProcessName
recvBytes	in
sentBytes	out
serviceName	sourceServiceName
srcDomain	sourceDnsDomain
srcIntfName	deviceInboundInterface
intfName	deviceInboundInterface
srcIpAddr	src
srcIpPort	spt
srcMACAddr	smac
srcName	shost
srcUser	suser
srcUserPriv	spriv
startTime	start
targetProcId	dpid
targetProcName	dproc

Mapping to CEF Custom Attributes

FortiSIEM event attributes	CEF key	Notes
supervisorName	cs1Label = SupervisorHostName
customer	cs2Label = CustomerName
incidentDetail	cs3Label=IncidentDetail
ruleName	cs4Label=RuleName
inIncidentEventIdList	cs5Label=IncidentEventIDList
phCustId	cn1Label=CustomerID
incidentId	cn2Label=IncidentID

	type	0 = base event; 2 = incident

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM Event Attribute to CEF Key Mapping