FortiSIEM Event Attribute to CEF Key Mapping

FortiSIEM forwards externally received logs and internally generated events/incidents to an external system via CEF formatted syslog.

FortiSIEM Event Attribute to CEF Key Mappings

FortiSIEM event attributes CEF key Notes
appCategory cat  
appTransportProto app  
count cnt  
destAction act  
destDomain destinationDnsDomain  
destIntfName deviceOutboundInterface  
destIpAddr destinationTranslated Address  
destIpAddr dst  
destIpPort destinationTranslatedPort  
destIpPort dpt  
destMACAddr dmac  
destName dhost  
destServiceName destinationServiceName  
destUser duser  
destUserId duid  
destUserPriv dpriv  
deviceIdentification deviceExternalId  
deviceTime rt  
domain deviceDnsDomain  
endTime end  
errReason reason  
extEventId externalId  
fileAccess filePermission  
fileId fileId  
fileModificationTime fileModificationTime  
fileName fname  
filePath filePath  
fileSize fsize  
fileType fileType  
hashCode fileHash  
hostIpAddr dvc  
hostMACAddr dvcmac  
hostName dvchost  
httpCookie requestCookies  
httpMethod requestMethod  
httpReferrer requestContext  
httpUserAgent requestClientApplication  
infoURL request  
ipProto proto  
msg msg  
postNATHostIpAddr deviceTranslatedAddress  
postNATSrcIpAddr sourceTranslatedAddress  
postNATSrcIpPort sourceTranslatedPort  
procId dvcpid  
procName deviceProcessName  
recvBytes in  
sentBytes out  
serviceName sourceServiceName  
srcDomain sourceDnsDomain  
srcIntfName deviceInboundInterface  
intfName deviceInboundInterface  
srcIpAddr src  
srcIpPort spt  
srcMACAddr smac  
srcName shost  
srcUser suser  
srcUserPriv spriv  
startTime start  
targetProcId dpid  
targetProcName dproc  

Mapping to CEF Custom Attributes

FortiSIEM event attributes CEF key Notes
supervisorName cs1Label = SupervisorHostName  
customer cs2Label = CustomerName  
incidentDetail cs3Label=IncidentDetail  
ruleName cs4Label=RuleName  
inIncidentEventIdList cs5Label=IncidentEventIDList  
phCustId cn1Label=CustomerID  
incidentId cn2Label=IncidentID  
  type 0 = base event; 2 = incident