FortiSIEM Event Attribute to CEF Key Mapping
FortiSIEM forwards externally received logs and internally generated events/incidents to an external system via CEF formatted syslog.
FortiSIEM Event Attribute to CEF Key Mappings
FortiSIEM event attributes | CEF key | Notes |
---|---|---|
appCategory | cat | |
appTransportProto | app | |
count | cnt | |
destAction | act | |
destDomain | destinationDnsDomain | |
destIntfName | deviceOutboundInterface | |
destIpAddr | destinationTranslated Address | |
destIpAddr | dst | |
destIpPort | destinationTranslatedPort | |
destIpPort | dpt | |
destMACAddr | dmac | |
destName | dhost | |
destServiceName | destinationServiceName | |
destUser | duser | |
destUserId | duid | |
destUserPriv | dpriv | |
deviceIdentification | deviceExternalId | |
deviceTime | rt | |
domain | deviceDnsDomain | |
endTime | end | |
errReason | reason | |
extEventId | externalId | |
fileAccess | filePermission | |
fileId | fileId | |
fileModificationTime | fileModificationTime | |
fileName | fname | |
filePath | filePath | |
fileSize | fsize | |
fileType | fileType | |
hashCode | fileHash | |
hostIpAddr | dvc | |
hostMACAddr | dvcmac | |
hostName | dvchost | |
httpCookie | requestCookies | |
httpMethod | requestMethod | |
httpReferrer | requestContext | |
httpUserAgent | requestClientApplication | |
infoURL | request | |
ipProto | proto | |
msg | msg | |
postNATHostIpAddr | deviceTranslatedAddress | |
postNATSrcIpAddr | sourceTranslatedAddress | |
postNATSrcIpPort | sourceTranslatedPort | |
procId | dvcpid | |
procName | deviceProcessName | |
recvBytes | in | |
sentBytes | out | |
serviceName | sourceServiceName | |
srcDomain | sourceDnsDomain | |
srcIntfName | deviceInboundInterface | |
intfName | deviceInboundInterface | |
srcIpAddr | src | |
srcIpPort | spt | |
srcMACAddr | smac | |
srcName | shost | |
srcUser | suser | |
srcUserPriv | spriv | |
startTime | start | |
targetProcId | dpid | |
targetProcName | dproc |
Mapping to CEF Custom Attributes
FortiSIEM event attributes | CEF key | Notes |
---|---|---|
supervisorName | cs1Label = SupervisorHostName | |
customer | cs2Label = CustomerName | |
incidentDetail | cs3Label=IncidentDetail | |
ruleName | cs4Label=RuleName | |
inIncidentEventIdList | cs5Label=IncidentEventIDList | |
phCustId | cn1Label=CustomerID | |
incidentId | cn2Label=IncidentID | |
type | 0 = base event; 2 = incident |