Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Aliases and metadata tables

Aliases in predefined datasets

Some predefined FortiAnalyzer datasets make use of aliases which are labeled as t1, t2, etc. These temporary names can only be referenced within the dataset in which they are created.

As an example, the t1 and t2 aliases are used in the threat-Top-Intrusions-By-Types dataset to define the following tables:

  • t1: Intrusion Prevention log data.
  • t2: The name, CVE, and vuln_type from the IPS_mdata table.

Metadata tables

FortiAnalyzer has access to metadata tables which are used in some predefined datasets to enrich a chart's data by complementing log fields with information from FortiGuard. This is typically accomplished through the use of the SQL JOIN clause.

As an example, in the threat-Top-Intrusions-By-Type dataset, the ips_mdata metadata table is referenced. The ips_mdata table is a collection of intrusion prevention related metadata from FortiGuard that is used by this dataset to add information about vulnerability types, vulnerability names, and CVE data to intrusion prevention logs.

You can view the information contained in the metadata tables (as well as other tables) using the following custom dataset. An asterisk can be used to select all applicable fields.

select <field> from <table name>

For example, the custom dataset below displays all fields retrieved from the IPS metadata table.

Metadata tables from FortiGuard are also available to be used in custom dataset queries. The following metadata tables are available:

  • ips_mdata
  • app_mdata
  • fct_mdata
  • pci_dss_mdata
  • td_threat_name_mdata

Aliases and metadata tables

Aliases in predefined datasets

Some predefined FortiAnalyzer datasets make use of aliases which are labeled as t1, t2, etc. These temporary names can only be referenced within the dataset in which they are created.

As an example, the t1 and t2 aliases are used in the threat-Top-Intrusions-By-Types dataset to define the following tables:

  • t1: Intrusion Prevention log data.
  • t2: The name, CVE, and vuln_type from the IPS_mdata table.

Metadata tables

FortiAnalyzer has access to metadata tables which are used in some predefined datasets to enrich a chart's data by complementing log fields with information from FortiGuard. This is typically accomplished through the use of the SQL JOIN clause.

As an example, in the threat-Top-Intrusions-By-Type dataset, the ips_mdata metadata table is referenced. The ips_mdata table is a collection of intrusion prevention related metadata from FortiGuard that is used by this dataset to add information about vulnerability types, vulnerability names, and CVE data to intrusion prevention logs.

You can view the information contained in the metadata tables (as well as other tables) using the following custom dataset. An asterisk can be used to select all applicable fields.

select <field> from <table name>

For example, the custom dataset below displays all fields retrieved from the IPS metadata table.

Metadata tables from FortiGuard are also available to be used in custom dataset queries. The following metadata tables are available:

  • ips_mdata
  • app_mdata
  • fct_mdata
  • pci_dss_mdata
  • td_threat_name_mdata