Security event
The following table describes the fields in security events. The order that the fields are listed reflects the order of the fields in security event syslog messages.
|
Syslog Field |
Description |
Data Type |
Length |
|---|---|---|---|
| Organization | Name of the organization the security event belongs to. | String |
100 |
| Organization ID | ID of the organization of the security. | Integer |
10 |
| Event ID | Security event ID automatically generated by the FortiEDR Manager. |
Integer |
10 |
| Raw Data ID | Raw data ID of the security event, which is automatically generated by the FortiEDR Manager. |
Integer |
10 |
| Device Name | Protected device name. | String |
1000 |
| Device State |
State of the device triggering the event. The state can be one of the following:
|
String |
25 |
| Operating System | Protected device operating system. | String |
100 |
| Process Name | Name of the process triggering the event. | String |
32000 |
| Process Path | Path of the process triggering the event. | String |
32000 |
| Process Type | Bitness of the process: 32 or 64 bit. | String |
5 |
| Severity | Severity of the event. Legacy field. | String |
25 |
| Classification |
Security grade of the event. The grade can be one of the following:
|
String |
25 |
| Destination | Destination of the event. The target can be IP, URL, port, file creation, etc. | String |
255 |
| First Seen | Time of the first occurrence of the event in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Collector device’s time when tracking security events. |
Timestamp |
18 |
| Last Seen | Time of the last occurrence of the event in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Collector device’s time when tracking security events. |
Timestamp |
18 |
| Action | The action taken upon the event. The action can be either “logged” or “blocked”. | String |
50 |
| Count | Number of occurrences of the Raw Data Item (RDI). | Integer |
16 |
| Certificate | Signed status of the process triggering the event. The status can be “yes” or “no”. | String |
3 |
| Rules List | Security policy rules triggering the event. Refer to Out-of-the-box policies for a full list of predefined policies. | String |
5000 |
| Users | Names of device logged users at the time of the event. | String |
750 |
| MAC Address | Protected device MAC Address. | String |
170 |
| Script | Name of the script the process has run. This field applies to only security events that include scripts. | String |
32000 |
| Script Path | Path of the script the process has run. This field applies to only security events that include scripts. | String |
32000 |
| Autonomous System | ASN of the destination IP. | String |
255 |
| Country | Name of country the destination IP belongs to. | String |
255 |
| Process Hash | Hash of the process triggering the event. | String |
40 |
| Source IP | The protected device IP. | String |
255 |
| Threat Name | Name of the threat if the process is an identified threat. | String |
250 |
|
Threat Family |
Family of the threat if the process is an identified threat. |
String |
200 |
|
Threat Type |
Type of the threat if the process is an identified threat. |
String |
200 |
|
Remediation Processes |
List of processes that FortiEDR attempted to kill if the Process Termination action has been triggered by the event. |
String |
1000 |
|
Remediation Files |
List of files that FortiEDR attempted to delete if the File Remediation action has been triggered by the event. |
String |
1000 |
|
MITRE Techniques |
MITRE technique associated with the event, if any. |
String |
3000 |
|
Target |
Target of the operation that triggered the event. The target can be a file/process, registry key, or CVE Identifier. |
String |
2000 |
|
Command line |
Command line involved in the event, if any. |
String |
2000 |
|
Remote Connection |
IP address of the remote host, if a remote host initiated the exploitation of the triggering device. |
String |
2000 |