FortiSIEM Event Attribute to CEF Key Mapping
FortiSIEM forwards externally received logs and internally generated events/incidents to an external system via CEF formatted syslog.
FortiSIEM Event Attribute to CEF Key Mappings
| FortiSIEM event attributes | CEF key | Notes |
|---|---|---|
| appCategory | cat | |
| appTransportProto | app | |
| count | cnt | |
| destAction | act | |
| destDomain | destinationDnsDomain | |
| destIntfName | deviceOutboundInterface | |
| destIpAddr | destinationTranslated Address | |
| destIpAddr | dst | |
| destIpPort | destinationTranslatedPort | |
| destIpPort | dpt | |
| destMACAddr | dmac | |
| destName | dhost | |
| destServiceName | destinationServiceName | |
| destUser | duser | |
| destUserId | duid | |
| destUserPriv | dpriv | |
| deviceIdentification | deviceExternalId | |
| deviceTime | rt | |
| domain | deviceDnsDomain | |
| endTime | end | |
| errReason | reason | |
| extEventId | externalId | |
| fileAccess | filePermission | |
| fileId | fileId | |
| fileModificationTime | fileModificationTime | |
| fileName | fname | |
| filePath | filePath | |
| fileSize | fsize | |
| fileType | fileType | |
| hashCode | fileHash | |
| hostIpAddr | dvc | |
| hostMACAddr | dvcmac | |
| hostName | dvchost | |
| httpCookie | requestCookies | |
| httpMethod | requestMethod | |
| httpReferrer | requestContext | |
| httpUserAgent | requestClientApplication | |
| infoURL | request | |
| ipProto | proto | |
| msg | msg | |
| postNATHostIpAddr | deviceTranslatedAddress | |
| postNATSrcIpAddr | sourceTranslatedAddress | |
| postNATSrcIpPort | sourceTranslatedPort | |
| procId | dvcpid | |
| procName | deviceProcessName | |
| recvBytes | in | |
| sentBytes | out | |
| serviceName | sourceServiceName | |
| srcDomain | sourceDnsDomain | |
| srcIntfName | deviceInboundInterface | |
| intfName | deviceInboundInterface | |
| srcIpAddr | src | |
| srcIpPort | spt | |
| srcMACAddr | smac | |
| srcName | shost | |
| srcUser | suser | |
| srcUserPriv | spriv | |
| startTime | start | |
| targetProcId | dpid | |
| targetProcName | dproc |
Mapping to CEF Custom Attributes
| FortiSIEM event attributes | CEF key | Notes |
|---|---|---|
| supervisorName | cs1Label = SupervisorHostName | |
| customer | cs2Label = CustomerName | |
| incidentDetail | cs3Label=IncidentDetail | |
| ruleName | cs4Label=RuleName | |
| inIncidentEventIdList | cs5Label=IncidentEventIDList | |
| phCustId | cn1Label=CustomerID | |
| incidentId | cn2Label=IncidentID | |
| type | 0 = base event; 2 = incident |
Copyright © 2019 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
