Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.2.4 User Guide
    7.2.4
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Conversions Functions

    Conversion Functions

    These functions convert formats before setting to the event attributes.

    1. calculateMSec

    2. calculateSec

    3. convertHexStrToInt

    4. convertIpDecimalToStr

    5. convertStrToIntIpPort

    6. convertStrToIntIpProto

    7. toLower

    8. toUpper

    9. toDateTime

    10. toUnixTime

    The following are deprecated

    1. convertHexStrToStr

    2. convertHostNameToIp

    calculateMSec

    Description: This function converts a time duration in HH:MM:SS format to milliseconds.

    Syntax:

    <setEventAttribute attr="durationMSec">
            calculateMSec($_duration)
     </setEventAttribute>

    Arg1: Variable storing the time duration (HH:MM:SS format) to be converted to milliseconds.

    Arg2: Variable storing the time duration in milliseconds (integer).

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

         <setEventAttribute attr="durationMSec">
            calculateMSec($_duration)
     </setEventAttribute>

    Suppose _duration is parsed as 00:01:05

    After execution:

    durationMSec: 65000

    calculateSec

    Description: This function converts a time duration in HH:MM:SS format to seconds.

    Syntax:

    <setEventAttribute attr="Arg2">
            calculateMSec(Arg1)
</setEventAttribute>

    Arg1: Variable storing the time duration (HH:MM:SS format) to be converted to seconds.

    Arg2: Variable storing the time duration in seconds (integer).

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="vulnScanDuration">
     calculateSec($_duration)
</setEventAttribute>

    Suppose _duration is parsed as 00:01:05.

    After execution:

    vulnScanDuration: 65

    convertHexStrToInt

    Description: This function converts a hex number to integer.

    Syntax:

    <setEventAttribute attr="Arg2">
      convertHexStrToInt(Arg1)
</setEventAttribute>

    Arg1: Variable storing the value in hex format to be converted to integer.

    Arg2: Variable storing the converted integer value.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="ipConnId">
      convertHexStrToInt($_ipConnId)
</setEventAttribute>

    Input:

    _ipConnId: 0xA

    Output:

    ipConnId =10

    convertIpDecimalToStr

    Description: This function converts decimal IP address to string.

    Syntax:

    <setEventAttribute attr="Arg2">
     convertIpDecimalToStr(Arg1)
</setEventAttribute>

    Arg1: Variable storing the IPV4 value as integer.

    Arg2: Variable storing the converted IPV4 value in string format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="srcIpAddr">
     convertIpDecimalToStr($_srcIpAddr)
</setEventAttribute>

    Input:

    _srcIpAddr = 16843009

    Output:

    srcIpAddr = 1.1.1.1

    convertStrToIntIpPort

    Description:This function converts TCP/UDP Port name to port number, e.g. HTTP -> 80.

    Syntax:

    <setEventAttribute attr="Arg2">
         convertStrToIntIpPort($Arg1)
</setEventAttribute>

    Arg1: Variable storing the TCP/UDP Port name in string format.

    Arg2: Variable storing the converted TCP/UDP Port name in integer format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="destIpPort">
         convertStrToIntIpPort($appTransportProto)
</setEventAttribute>

    Input:

    appTransportProto = "http"

    Output:

    destIpPort = 80

    convertStrToIntIpProto

    Description:This function converts an IP protocol name (e.g. TCP, UDP, ICMP, etc.) to integer form.

    Syntax:

    <setEventAttribute attr="Arg2">
     convertStrToIntIpProto (Arg1)
</setEventAttribute>

    Arg1: Variable storing the IP protocol name in string format.

    Arg2: Variable storing the converted IP protocol name in integer format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="ipProto">
      convertStrToIntIpProto($_proto)
</setEventAttribute>

    Input:

    _proto = "TCP"

    Output:

    ipProto = 6

    toLower

    Description: This function converts string to lower case.

    Syntax:

    <setEventAttribute attr="Arg2">
         toLower ($Arg1)
</setEventAttribute>

    Arg1: Variable storing the string to be converted to lower case.

    Arg2: Variable storing the converted string in lower case.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="filePath">
         toLower($filePath)
</setEventAttribute>

    Input:

    filePath = "C:\WINDOWS"

    Output:

    filePath = "c:\windows"

    toUpper

    Description: This function converts string to upper case.

    Syntax:

    <setEventAttribute attr="Arg2">
         toUpper ($Arg1)
</setEventAttribute>

    Arg1: Variable storing the string to be converted to upper case.

    Arg2: Variable storing the converted string in upper case.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="filePath">
         toUpper($filePath)
</setEventAttribute>

    Input:

    filePath = "C:\Windows"

    Output:

    filePath = "C:\WINDOWS"

    toDateTime

    Description: This function converts string formatted timestamp to Unix epoch time.

    Syntax:

    <setEventAttribute attr="Arg6">
         toDateTime($Arg1, $Arg2, [$Arg3], $Arg4, [$Arg5])
</setEventAttribute>

    Arg1: Variable storing the month: Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec or 1/2/3…/12.

    Arg2: Variable storing the day: 01-31.

    Arg3: Optional – Variable storing the year in YY or YYYY format.

    Arg4: Variable storing the time in HH:MM:SS format.

    Arg5: Optional - Variable storing the time zone in Z; UTC; GMT; -0700; +05:30; or AM / PM. Regex pattern is Z|UTC|GMT|[+-]\d{1,2}:?\d{2}|AM|PM. If AM or PM is passed directly, then $ is not required.

    Arg6: Variable storing converted Unix epoch time.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    Three argument format – Month, Day, Time

    <setEventAttribute attr="deviceTime">
      toDateTime($_mon, $_day, $_time)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _time: 06:04:00

    Output (server local timezone assumed e.g CST time):

    deviceTime: 1750460640

    Four argument format – Month, Day, Year, Time

    <setEventAttribute attr="deviceTime">
      toDateTime($_mon, $_day, $_year, $_time)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00

    Output (server local timezone assumed e.g CST time):

    deviceTime: 1750460640

    Five argument format - Month, Day, Year, Time, Timezone

    <setEventAttribute attr="deviceTime">
    toDateTime($_mon, $_day, $_year, $_time,$_timezone)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00
    _timezone: −06:00

    Output:

    deviceTime: 1750460640

    Five argument format - Month, Day, Year, Time, AM/PM

    <setEventAttribute attr="deviceTime">
    toDateTime($_mon, $_day, $_year, $_time, "PM")
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00

    Output:

    deviceTime: 1750460640

    toUnixTime

    Description: This function is designed to convert LDAP / Active Directory (GeneralizedTime) format to Unix epoch.

    The time format is YYYYMMDDHHMMSS.ffffff[+-]ZZZ e.g. 20100505222910.822003-000. Human readable representation of this timestamp is: 2010-05-05 22:29:10Z (UTC time)

    Syntax:

    <setEventAttribute attr="Arg2">
         toUnixTime ($Arg1)
</setEventAttribute>

    Arg1: Variable storing time in GeneralizedTime format: YYYYMMDDHHMMSS.ffffff[+-]ZZZ

    Arg2: Variable storing converted Unix epoch time

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="deviceTime">
      toUnixTime($_deviceTime)
</setEventAttribute>

    Input:

    deviceTime: 20100505222910.822003-000

    Output:

    deviceTime: 1273098550

    convertHexStrToStr (Deprecated)

    Description: This function is deprecated.

    convertHostNameToIp (Deprecated)

    Description: This function is deprecated. Use this function instead: resolveDNSName.

    Previous
    Next

    Conversions Functions

    Conversion Functions

    These functions convert formats before setting to the event attributes.

    1. calculateMSec

    2. calculateSec

    3. convertHexStrToInt

    4. convertIpDecimalToStr

    5. convertStrToIntIpPort

    6. convertStrToIntIpProto

    7. toLower

    8. toUpper

    9. toDateTime

    10. toUnixTime

    The following are deprecated

    1. convertHexStrToStr

    2. convertHostNameToIp

    calculateMSec

    Description: This function converts a time duration in HH:MM:SS format to milliseconds.

    Syntax:

    <setEventAttribute attr="durationMSec">
            calculateMSec($_duration)
     </setEventAttribute>

    Arg1: Variable storing the time duration (HH:MM:SS format) to be converted to milliseconds.

    Arg2: Variable storing the time duration in milliseconds (integer).

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

         <setEventAttribute attr="durationMSec">
            calculateMSec($_duration)
     </setEventAttribute>

    Suppose _duration is parsed as 00:01:05

    After execution:

    durationMSec: 65000

    calculateSec

    Description: This function converts a time duration in HH:MM:SS format to seconds.

    Syntax:

    <setEventAttribute attr="Arg2">
            calculateMSec(Arg1)
</setEventAttribute>

    Arg1: Variable storing the time duration (HH:MM:SS format) to be converted to seconds.

    Arg2: Variable storing the time duration in seconds (integer).

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="vulnScanDuration">
     calculateSec($_duration)
</setEventAttribute>

    Suppose _duration is parsed as 00:01:05.

    After execution:

    vulnScanDuration: 65

    convertHexStrToInt

    Description: This function converts a hex number to integer.

    Syntax:

    <setEventAttribute attr="Arg2">
      convertHexStrToInt(Arg1)
</setEventAttribute>

    Arg1: Variable storing the value in hex format to be converted to integer.

    Arg2: Variable storing the converted integer value.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="ipConnId">
      convertHexStrToInt($_ipConnId)
</setEventAttribute>

    Input:

    _ipConnId: 0xA

    Output:

    ipConnId =10

    convertIpDecimalToStr

    Description: This function converts decimal IP address to string.

    Syntax:

    <setEventAttribute attr="Arg2">
     convertIpDecimalToStr(Arg1)
</setEventAttribute>

    Arg1: Variable storing the IPV4 value as integer.

    Arg2: Variable storing the converted IPV4 value in string format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="srcIpAddr">
     convertIpDecimalToStr($_srcIpAddr)
</setEventAttribute>

    Input:

    _srcIpAddr = 16843009

    Output:

    srcIpAddr = 1.1.1.1

    convertStrToIntIpPort

    Description:This function converts TCP/UDP Port name to port number, e.g. HTTP -> 80.

    Syntax:

    <setEventAttribute attr="Arg2">
         convertStrToIntIpPort($Arg1)
</setEventAttribute>

    Arg1: Variable storing the TCP/UDP Port name in string format.

    Arg2: Variable storing the converted TCP/UDP Port name in integer format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="destIpPort">
         convertStrToIntIpPort($appTransportProto)
</setEventAttribute>

    Input:

    appTransportProto = "http"

    Output:

    destIpPort = 80

    convertStrToIntIpProto

    Description:This function converts an IP protocol name (e.g. TCP, UDP, ICMP, etc.) to integer form.

    Syntax:

    <setEventAttribute attr="Arg2">
     convertStrToIntIpProto (Arg1)
</setEventAttribute>

    Arg1: Variable storing the IP protocol name in string format.

    Arg2: Variable storing the converted IP protocol name in integer format.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="ipProto">
      convertStrToIntIpProto($_proto)
</setEventAttribute>

    Input:

    _proto = "TCP"

    Output:

    ipProto = 6

    toLower

    Description: This function converts string to lower case.

    Syntax:

    <setEventAttribute attr="Arg2">
         toLower ($Arg1)
</setEventAttribute>

    Arg1: Variable storing the string to be converted to lower case.

    Arg2: Variable storing the converted string in lower case.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="filePath">
         toLower($filePath)
</setEventAttribute>

    Input:

    filePath = "C:\WINDOWS"

    Output:

    filePath = "c:\windows"

    toUpper

    Description: This function converts string to upper case.

    Syntax:

    <setEventAttribute attr="Arg2">
         toUpper ($Arg1)
</setEventAttribute>

    Arg1: Variable storing the string to be converted to upper case.

    Arg2: Variable storing the converted string in upper case.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="filePath">
         toUpper($filePath)
</setEventAttribute>

    Input:

    filePath = "C:\Windows"

    Output:

    filePath = "C:\WINDOWS"

    toDateTime

    Description: This function converts string formatted timestamp to Unix epoch time.

    Syntax:

    <setEventAttribute attr="Arg6">
         toDateTime($Arg1, $Arg2, [$Arg3], $Arg4, [$Arg5])
</setEventAttribute>

    Arg1: Variable storing the month: Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec or 1/2/3…/12.

    Arg2: Variable storing the day: 01-31.

    Arg3: Optional – Variable storing the year in YY or YYYY format.

    Arg4: Variable storing the time in HH:MM:SS format.

    Arg5: Optional - Variable storing the time zone in Z; UTC; GMT; -0700; +05:30; or AM / PM. Regex pattern is Z|UTC|GMT|[+-]\d{1,2}:?\d{2}|AM|PM. If AM or PM is passed directly, then $ is not required.

    Arg6: Variable storing converted Unix epoch time.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    Three argument format – Month, Day, Time

    <setEventAttribute attr="deviceTime">
      toDateTime($_mon, $_day, $_time)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _time: 06:04:00

    Output (server local timezone assumed e.g CST time):

    deviceTime: 1750460640

    Four argument format – Month, Day, Year, Time

    <setEventAttribute attr="deviceTime">
      toDateTime($_mon, $_day, $_year, $_time)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00

    Output (server local timezone assumed e.g CST time):

    deviceTime: 1750460640

    Five argument format - Month, Day, Year, Time, Timezone

    <setEventAttribute attr="deviceTime">
    toDateTime($_mon, $_day, $_year, $_time,$_timezone)
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00
    _timezone: −06:00

    Output:

    deviceTime: 1750460640

    Five argument format - Month, Day, Year, Time, AM/PM

    <setEventAttribute attr="deviceTime">
    toDateTime($_mon, $_day, $_year, $_time, "PM")
</setEventAttribute>

    Input:

    _mon: 06
    _day: 20
    _year: 2025
    _time: 06:04:00

    Output:

    deviceTime: 1750460640

    toUnixTime

    Description: This function is designed to convert LDAP / Active Directory (GeneralizedTime) format to Unix epoch.

    The time format is YYYYMMDDHHMMSS.ffffff[+-]ZZZ e.g. 20100505222910.822003-000. Human readable representation of this timestamp is: 2010-05-05 22:29:10Z (UTC time)

    Syntax:

    <setEventAttribute attr="Arg2">
         toUnixTime ($Arg1)
</setEventAttribute>

    Arg1: Variable storing time in GeneralizedTime format: YYYYMMDDHHMMSS.ffffff[+-]ZZZ

    Arg2: Variable storing converted Unix epoch time

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="deviceTime">
      toUnixTime($_deviceTime)
</setEventAttribute>

    Input:

    deviceTime: 20100505222910.822003-000

    Output:

    deviceTime: 1273098550

    convertHexStrToStr (Deprecated)

    Description: This function is deprecated.

    convertHostNameToIp (Deprecated)

    Description: This function is deprecated. Use this function instead: resolveDNSName.

    Previous
    Next