FortiSIEM
FortiSIEM normalized events after parsing many feeds; includes correlation results, rule triggers and incident IDs.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (72)
| Field | Type |
|---|---|
fortisiem.event Raw event message as received by FortiSIEM. | text_general |
fortisiem.appCategory Application category identified for the traffic or event. | string |
fortisiem.appTransportProto Transport protocol used by the application (e.g., TCP, UDP). | string |
fortisiem.count Count of occurrences or packets associated with this event. | plong |
fortisiem.destAction Action taken on the destination side (allow, block, etc.). | string |
fortisiem.destDomain Destination domain name involved in the event. | string |
fortisiem.destIntfName Name of the destination network interface. | string |
fortisiem.destIpAddr Destination IP address for the session or flow. | string |
fortisiem.destIpPort Destination port number. | pint |
fortisiem.destMACAddr Destination MAC address seen on the network. | string |
fortisiem.destName Logical name or label of the destination host or service. | string |
fortisiem.destServiceName Service name on the destination (HTTP, DNS, etc.). | string |
fortisiem.destUser Username authenticated at the destination. | string |
fortisiem.destUserId Unique identifier of the destination user. | plong |
fortisiem.destUserPriv Privilege level of the destination user. | string |
fortisiem.deviceIdentification Identifier of the device reporting the event. | string |
fortisiem.deviceTime9 Timestamp from the device, in milliseconds since epoch. | plong |
fortisiem.domain Domain or realm associated with the event or user. | string |
fortisiem.endTime9 Event end time, in milliseconds since epoch. | plong |
fortisiem.errReason Error reason or message if the event indicates a fault. | text_general |
fortisiem.extEventId External event identifier, if correlated from another system. | plong |
fortisiem.fileAccess Type of file access (read, write, delete, etc.). | string |
fortisiem.fileId Unique identifier of the file accessed. | string |
fortisiem.fileModificationTime9 File modification time, in milliseconds since epoch. | plong |
fortisiem.fileName Name of the file involved in the event. | string |
fortisiem.filePath Full path of the file involved in the event. | string |
fortisiem.fileSize Size of the file in bytes. | plong |
fortisiem.fileType Type or extension of the file (exe, txt, docx, etc.). | string |
fortisiem.hashCode Hash value of the file or payload (MD5, SHA1, etc.). | string |
fortisiem.hostIpAddr IP address of the host generating the event. | string |
fortisiem.hostMACAddr MAC address of the host generating the event. | string |
fortisiem.hostName Hostname of the device generating the event. | string |
fortisiem.httpCookie HTTP cookie string sent by the client. | string |
fortisiem.httpMethod HTTP method used (GET, POST, PUT, DELETE). | string |
fortisiem.httpReferrer Value of the HTTP Referer header. | string |
fortisiem.httpUserAgent User-Agent header string from the HTTP request. | string |
fortisiem.infoURL URL to additional information or documentation for the event. | string |
fortisiem.ipProto IP protocol number (e.g., 6 for TCP, 17 for UDP). | string |
fortisiem.msg Free-form message field with event-specific details. | text_general |
fortisiem.postNATHostIpAddr Host IP address after NAT translation. | string |
fortisiem.postNATSrcIpAddr Source IP address after NAT translation. | string |
fortisiem.postNATSrcIpPort Source port after NAT translation. | string |
fortisiem.procId Process identifier on the host. | string |
fortisiem.procName Name of the process generating the event. | string |
fortisiem.recvBytes Number of bytes received by the host. | plong |
fortisiem.sentBytes Number of bytes sent by the host. | plong |
fortisiem.serviceName Name of the service or application involved. | string |
fortisiem.srcDomain Source domain or realm of the user or device. | string |
fortisiem.srcIntfName Name of the source network interface. | string |
fortisiem.srcIpAddr Source IP address that initiated the event. | string |
fortisiem.srcIpPort Source port that initiated the connection or event. | plong |
fortisiem.srcMACAddr MAC address of the source device. | string |
fortisiem.srcName Logical name of the source host or user. | string |
fortisiem.srcUser Username of the source that initiated the event. | string |
fortisiem.srcUserPriv Privilege level of the source user. | string |
fortisiem.startTime9 Event start time, in milliseconds since epoch. | plong |
fortisiem.targetProcId Process ID on the target host. | string |
fortisiem.targetProcName Name of the process on the target host. | string |
fortisiem.supervisorName Name of the supervising controller or manager. | string |
fortisiem.customer Customer or tenant name in multi-tenant deployments. | string |
fortisiem.incidentDetail Detailed description if the event is linked to an incident. | text_general |
fortisiem.ruleName Name of the FortiSIEM rule that matched this event. | string |
fortisiem.inIncidentEventIdList List of incident-related event IDs this record belongs to. | string |
fortisiem.phCustId Placeholder customer ID for future use. | string |
fortisiem.incidentId Identifier of the incident in FortiSIEM. | string |
fortisiem.header.vendor CEF same-vendor field indicating the log source vendor. | string |
fortisiem.header.product CEF product field indicating the log source product. | string |
fortisiem.header.productVersion CEF product version field. | string |
fortisiem.header.eventClassID CEF event class ID field. | string |
fortisiem.header.message CEF message field with the event summary. | text_general |
fortisiem.header.severity CEF severity field indicating event criticality. | pint |
fortisiem.rawEvent Unparsed raw event string. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.