Security event
The following table describes the fields in security events. The order that the fields are listed reflects the order of the fields in security event syslog messages.
|
Syslog Field |
LEEF Field |
CEF Field1 |
CEF custom label value |
Description |
Data Type |
Length |
|---|---|---|---|---|---|---|
| Organization |
Organization |
cs1 |
cs1Label=Organization |
Name of the organization the security event belongs to. | String |
100 |
| Organization ID |
OrganizationId |
cs2 |
cs2Label=OrganizationId |
ID of the organization. | Integer |
10 |
| Event ID |
EventId |
eventid |
— |
Security event ID automatically generated by the FortiEDR Manager. |
Integer |
10 |
| Raw Data ID |
RawDataId |
cs6 |
cs6Label=RawDataId |
Raw data ID of the security event, which is automatically generated by the FortiEDR Manager. |
Integer |
10 |
| Device Name |
Hostname |
Shost |
— |
Protected device name. | String |
1000 |
| Device State |
DeviceState |
cs5 |
cs5Label=DeviceState |
State of the device triggering the event. The state can be one of the following:
|
String |
25 |
| Operating System |
OS |
cs3 |
cs3Label=OS |
Protected device operating system. | String |
100 |
| Process Name |
fname |
fname |
— |
Name of the process triggering the event. | String |
32000 |
| Process Path |
filePath |
filePath |
— |
Path of the process triggering the event. | String |
32000 |
| Process Type |
AppBitness |
AppBitness |
— |
Bitness of the process: 32 or 64 bit. | String |
5 |
| Severity |
sev |
Severity |
— |
Severity of the event. Legacy field. | String |
25 |
| Classification |
Classification |
Classification |
— |
Security grade of the event. The grade can be one of the following:
|
String |
25 |
| Destination |
dst |
dst |
— |
Destination of the event. The target can be IP, URL, port, file creation, etc. | String |
255 |
| First Seen |
FirstSeen |
deviceCustomDate1 |
deviceCustomDate1Label=FirstSeen |
Time of the first occurrence of the event in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Collector device’s time when tracking security events. |
Timestamp |
18 |
| Last Seen |
LastSeen |
deviceCustomDate2 |
deviceCustomDate2Label=LastSeen |
Time of the last occurrence of the event in UTC format: DD-MM-YYYY, hh:mm:ss. FortiEDR uses the Collector device’s time when tracking security events. |
Timestamp |
18 |
| Action |
Cat |
act |
— |
The action taken upon the event. The action can be either “logged” or “blocked”. | String |
50 |
| Count |
Count |
cnt |
— |
Number of occurrences of the Raw Data Item (RDI). | Integer |
16 |
| Certificate |
AppSigned |
AppSigned |
— |
Signed status of the process triggering the event. The status can be “yes” or “no”. | String |
3 |
| Rules List |
Alerts |
reason |
— |
Security policy rules triggering the event. Refer to Out-of-the-box policies for a full list of predefined policies. | String |
5000 |
| Users |
usrName |
suser |
— |
Names of device logged users at the time of the event. | String |
750 |
| MAC Address |
srcMAC |
dmac |
— |
Protected device MAC Address. | String |
170 |
| Script |
ProcessScriptModule |
ProcessScriptModule |
— |
Name of the script the process has run. This field applies to only security events that include scripts. | String |
32000 |
| Script Path |
ProcessScriptModulePath |
ProcessScriptModulePath |
— |
Path of the script the process has run. This field applies to only security events that include scripts. | String |
32000 |
| Autonomous System |
ASN |
ASN |
— |
ASN of the destination IP. | String |
255 |
| Country |
Country |
calLanguage |
— |
Name of country the destination IP belongs to. | String |
255 |
| Process Hash |
ProcessHash |
fileHash |
— |
Hash of the process triggering the event. | String |
40 |
| Source IP |
src |
deviceTranslatedAddress |
— |
The protected device IP. | String |
255 |
| Threat Name |
ThreatName |
threatAttackID |
— |
Name of the threat if the process is an identified threat. | String |
250 |
|
Threat Family |
ThreatFamily |
threatActor |
— |
Family of the threat if the process is an identified threat. |
String |
200 |
|
Threat Type |
ThreatType |
frameworkName |
— |
Type of the threat if the process is an identified threat. |
String |
200 |
|
Remediation Processes |
TerminateProcessProcessName, TerminateProcessId |
TerminateProcessProcessName, TerminateProcessId |
— |
List of processes that FortiEDR attempted to kill if the Process Termination action has been triggered by the event. |
String |
1000 |
|
Remediation Files |
ExecutablesToRemove |
ExecutablesToRemove |
— |
List of files that FortiEDR attempted to delete if the File Remediation action has been triggered by the event. |
String |
1000 |
|
MITRE Techniques |
MitreTags |
MitreTags |
— |
MITRE technique associated with the event, if any. |
String |
3000 |
|
Target |
EventTarget |
EventTarget |
— |
Target of the operation that triggered the event. The target can be a file/process, registry key, or CVE Identifier. |
String |
2000 |
|
Command line |
EventCommandLine |
EventCommandLine |
— |
Command line involved in the event, if any. |
String |
2000 |
|
Remote Connection |
RemoteConnection |
RemoteConnection |
— |
IP address of the remote host, if a remote host initiated the exploitation of the triggering device. |
String |
2000 |
|
Deployment |
Deployment |
Deployment |
— |
Server name. |
String |
64 |
|
Stack Hashes |
StackHashes |
StackHashes |
— |
Hashes of files on the process stack. |
String |
512 |
|
Stack Certificates |
StackCertificates |
StackCertificates |
— |
Signed status of files on the process stack. |
String |
64 |
|
Custom fields in CEF format (such as cs1 and deviceCustomDate1) should be sent with the matching CEF custom label value in order to define the display label for this custom field to the consumer system. The message then includes the following two fields:
For example, for Organization “Marketing”, FortiEDR sends the following two CEF fields in the message: "cs1Label=Organization” and “cs1=Marketing”. |
||||||