fortinet Module
-
network.interface.name
-
Name of the network interface where the traffic has been observed.
type: keyword
-
rsa.internal.msg
-
This key is used to capture the raw message that comes into the Log Decoder
type: keyword
-
rsa.internal.messageid
-
type: keyword
-
rsa.internal.event_desc
-
type: keyword
-
rsa.internal.message
-
This key captures the contents of instant messages
type: keyword
-
rsa.internal.time
-
This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.
type: date
-
rsa.internal.level
-
Deprecated key defined only in table map.
type: long
-
rsa.internal.msg_id
-
This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.msg_vid
-
This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.data
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.obj_server
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.obj_val
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.resource
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.obj_id
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.statement
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.audit_class
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.entry
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.hcode
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.inode
-
Deprecated key defined only in table map.
type: long
-
rsa.internal.resource_class
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.dead
-
Deprecated key defined only in table map.
type: long
-
rsa.internal.feed_desc
-
This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.feed_name
-
This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.cid
-
This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.device_class
-
This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.device_group
-
This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.device_host
-
This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.device_ip
-
This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: ip
-
rsa.internal.device_ipv6
-
This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: ip
-
rsa.internal.device_type
-
This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.device_type_id
-
Deprecated key defined only in table map.
type: long
-
rsa.internal.did
-
This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.entropy_req
-
This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
type: long
-
rsa.internal.entropy_res
-
This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration
type: long
-
rsa.internal.event_name
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.feed_category
-
This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.forward_ip
-
This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.
type: ip
-
rsa.internal.forward_ipv6
-
This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: ip
-
rsa.internal.header_id
-
This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.lc_cid
-
This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.lc_ctime
-
This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: date
-
rsa.internal.mcb_req
-
This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most
type: long
-
rsa.internal.mcb_res
-
This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most
type: long
-
rsa.internal.mcbc_req
-
This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
type: long
-
rsa.internal.mcbc_res
-
This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams
type: long
-
rsa.internal.medium
-
This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session
type: long
-
rsa.internal.node_name
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.nwe_callback_id
-
This key denotes that event is endpoint related
type: keyword
-
rsa.internal.parse_error
-
This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.payload_req
-
This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
type: long
-
rsa.internal.payload_res
-
This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep
type: long
-
rsa.internal.process_vid_dst
-
Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.
type: keyword
-
rsa.internal.process_vid_src
-
Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.
type: keyword
-
rsa.internal.rid
-
This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: long
-
rsa.internal.session_split
-
This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.site
-
Deprecated key defined only in table map.
type: keyword
-
rsa.internal.size
-
This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: long
-
rsa.internal.sourcefile
-
This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.internal.ubc_req
-
This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
type: long
-
rsa.internal.ubc_res
-
This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once
type: long
-
rsa.internal.word
-
This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log
type: keyword
-
rsa.time.event_time
-
This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form
type: date
-
rsa.time.duration_time
-
This key is used to capture the normalized duration/lifetime in seconds.
type: double
-
rsa.time.event_time_str
-
This key is used to capture the incomplete time mentioned in a session as a string
type: keyword
-
rsa.time.starttime
-
This key is used to capture the Start time mentioned in a session in a standard form
type: date
-
rsa.time.month
-
type: keyword
-
rsa.time.day
-
type: keyword
-
rsa.time.endtime
-
This key is used to capture the End time mentioned in a session in a standard form
type: date
-
rsa.time.timezone
-
This key is used to capture the timezone of the Event Time
type: keyword
-
rsa.time.duration_str
-
A text string version of the duration
type: keyword
-
rsa.time.date
-
type: keyword
-
rsa.time.year
-
type: keyword
-
rsa.time.recorded_time
-
The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.
type: date
-
rsa.time.datetime
-
type: keyword
-
rsa.time.effective_time
-
This key is the effective time referenced by an individual event in a Standard Timestamp format
type: date
-
rsa.time.expire_time
-
This key is the timestamp that explicitly refers to an expiration.
type: date
-
rsa.time.process_time
-
Deprecated, use duration.time
type: keyword
-
rsa.time.hour
-
type: keyword
-
rsa.time.min
-
type: keyword
-
rsa.time.timestamp
-
type: keyword
-
rsa.time.event_queue_time
-
This key is the Time that the event was queued.
type: date
-
rsa.time.p_time1
-
type: keyword
-
rsa.time.tzone
-
type: keyword
-
rsa.time.eventtime
-
type: keyword
-
rsa.time.gmtdate
-
type: keyword
-
rsa.time.gmttime
-
type: keyword
-
rsa.time.p_date
-
type: keyword
-
rsa.time.p_month
-
type: keyword
-
rsa.time.p_time
-
type: keyword
-
rsa.time.p_time2
-
type: keyword
-
rsa.time.p_year
-
type: keyword
-
rsa.time.expire_time_str
-
This key is used to capture incomplete timestamp that explicitly refers to an expiration.
type: keyword
-
rsa.time.stamp
-
Deprecated key defined only in table map.
type: date
-
rsa.misc.action
-
type: keyword
-
rsa.misc.result
-
This key is used to capture the outcome/result string value of an action in a session.
type: keyword
-
rsa.misc.severity
-
This key is used to capture the severity given the session
type: keyword
-
rsa.misc.event_type
-
This key captures the event category type as specified by the event source.
type: keyword
-
rsa.misc.reference_id
-
This key is used to capture an event id from the session directly
type: keyword
-
rsa.misc.version
-
This key captures Version of the application or OS which is generating the event.
type: keyword
-
rsa.misc.disposition
-
This key captures the The end state of an action.
type: keyword
-
rsa.misc.result_code
-
This key is used to capture the outcome/result numeric value of an action in a session
type: keyword
-
rsa.misc.category
-
This key is used to capture the category of an event given by the vendor in the session
type: keyword
-
rsa.misc.obj_name
-
This is used to capture name of object
type: keyword
-
rsa.misc.obj_type
-
This is used to capture type of object
type: keyword
-
rsa.misc.event_source
-
This key captures Source of the event that’s not a hostname
type: keyword
-
rsa.misc.log_session_id
-
This key is used to capture a sessionid from the session directly
type: keyword
-
rsa.misc.group
-
This key captures the Group Name value
type: keyword
-
rsa.misc.policy_name
-
This key is used to capture the Policy Name only.
type: keyword
-
rsa.misc.rule_name
-
This key captures the Rule Name
type: keyword
-
rsa.misc.context
-
This key captures Information which adds additional context to the event.
type: keyword
-
rsa.misc.change_new
-
This key is used to capture the new values of the attribute that’s changing in a session
type: keyword
-
rsa.misc.space
-
type: keyword
-
rsa.misc.client
-
This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.
type: keyword
-
rsa.misc.msgIdPart1
-
type: keyword
-
rsa.misc.msgIdPart2
-
type: keyword
-
rsa.misc.change_old
-
This key is used to capture the old value of the attribute that’s changing in a session
type: keyword
-
rsa.misc.operation_id
-
An alert number or operation number. The values should be unique and non-repeating.
type: keyword
-
rsa.misc.event_state
-
This key captures the current state of the object/item referenced within the event. Describing an on-going event.
type: keyword
-
rsa.misc.group_object
-
This key captures a collection/grouping of entities. Specific usage
type: keyword
-
rsa.misc.node
-
Common use case is the node name within a cluster. The cluster name is reflected by the host name.
type: keyword
-
rsa.misc.rule
-
This key captures the Rule number
type: keyword
-
rsa.misc.device_name
-
This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc
type: keyword
-
rsa.misc.param
-
This key is the parameters passed as part of a command or application, etc.
type: keyword
-
rsa.misc.change_attrib
-
This key is used to capture the name of the attribute that’s changing in a session
type: keyword
-
rsa.misc.event_computer
-
This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.
type: keyword
-
rsa.misc.reference_id1
-
This key is for Linked ID to be used as an addition to "reference.id"
type: keyword
-
rsa.misc.event_log
-
This key captures the Name of the event log
type: keyword
-
rsa.misc.OS
-
This key captures the Name of the Operating System
type: keyword
-
rsa.misc.terminal
-
This key captures the Terminal Names only
type: keyword
-
rsa.misc.msgIdPart3
-
type: keyword
-
rsa.misc.filter
-
This key captures Filter used to reduce result set
type: keyword
-
rsa.misc.serial_number
-
This key is the Serial number associated with a physical asset.
type: keyword
-
rsa.misc.checksum
-
This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.
type: keyword
-
rsa.misc.event_user
-
This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.
type: keyword
-
rsa.misc.virusname
-
This key captures the name of the virus
type: keyword
-
rsa.misc.content_type
-
This key is used to capture Content Type only.
type: keyword
-
rsa.misc.group_id
-
This key captures Group ID Number (related to the group name)
type: keyword
-
rsa.misc.policy_id
-
This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise
type: keyword
-
rsa.misc.vsys
-
This key captures Virtual System Name
type: keyword
-
rsa.misc.connection_id
-
This key captures the Connection ID
type: keyword
-
rsa.misc.reference_id2
-
This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.
type: keyword
-
rsa.misc.sensor
-
This key captures Name of the sensor. Typically used in IDS/IPS based devices
type: keyword
-
rsa.misc.sig_id
-
This key captures IDS/IPS Int Signature ID
type: long
-
rsa.misc.port_name
-
This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).
type: keyword
-
rsa.misc.rule_group
-
This key captures the Rule group name
type: keyword
-
rsa.misc.risk_num
-
This key captures a Numeric Risk value
type: double
-
rsa.misc.trigger_val
-
This key captures the Value of the trigger or threshold condition.
type: keyword
-
rsa.misc.log_session_id1
-
This key is used to capture a Linked (Related) Session ID from the session directly
type: keyword
-
rsa.misc.comp_version
-
This key captures the Version level of a sub-component of a product.
type: keyword
-
rsa.misc.content_version
-
This key captures Version level of a signature or database content.
type: keyword
-
rsa.misc.hardware_id
-
This key is used to capture unique identifier for a device or system (NOT a Mac address)
type: keyword
-
rsa.misc.risk
-
This key captures the non-numeric risk value
type: keyword
-
rsa.misc.event_id
-
type: keyword
-
rsa.misc.reason
-
type: keyword
-
rsa.misc.status
-
type: keyword
-
rsa.misc.mail_id
-
This key is used to capture the mailbox id/name
type: keyword
-
rsa.misc.rule_uid
-
This key is the Unique Identifier for a rule.
type: keyword
-
rsa.misc.trigger_desc
-
This key captures the Description of the trigger or threshold condition.
type: keyword
-
rsa.misc.inout
-
type: keyword
-
rsa.misc.p_msgid
-
type: keyword
-
rsa.misc.data_type
-
type: keyword
-
rsa.misc.msgIdPart4
-
type: keyword
-
rsa.misc.error
-
This key captures All non successful Error codes or responses
type: keyword
-
rsa.misc.index
-
type: keyword
-
rsa.misc.listnum
-
This key is used to capture listname or listnumber, primarily for collecting access-list
type: keyword
-
rsa.misc.ntype
-
type: keyword
-
rsa.misc.observed_val
-
This key captures the Value observed (from the perspective of the device generating the log).
type: keyword
-
rsa.misc.policy_value
-
This key captures the contents of the policy. This contains details about the policy
type: keyword
-
rsa.misc.pool_name
-
This key captures the name of a resource pool
type: keyword
-
rsa.misc.rule_template
-
A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template
type: keyword
-
rsa.misc.count
-
type: keyword
-
rsa.misc.number
-
type: keyword
-
rsa.misc.sigcat
-
type: keyword
-
rsa.misc.type
-
type: keyword
-
rsa.misc.comments
-
Comment information provided in the log message
type: keyword
-
rsa.misc.doc_number
-
This key captures File Identification number
type: long
-
rsa.misc.expected_val
-
This key captures the Value expected (from the perspective of the device generating the log).
type: keyword
-
rsa.misc.job_num
-
This key captures the Job Number
type: keyword
-
rsa.misc.spi_dst
-
Destination SPI Index
type: keyword
-
rsa.misc.spi_src
-
Source SPI Index
type: keyword
-
rsa.misc.code
-
type: keyword
-
rsa.misc.agent_id
-
This key is used to capture agent id
type: keyword
-
rsa.misc.message_body
-
This key captures the The contents of the message body.
type: keyword
-
rsa.misc.phone
-
type: keyword
-
rsa.misc.sig_id_str
-
This key captures a string object of the sigid variable.
type: keyword
-
rsa.misc.cmd
-
type: keyword
-
rsa.misc.misc
-
type: keyword
-
rsa.misc.name
-
type: keyword
-
rsa.misc.cpu
-
This key is the CPU time used in the execution of the event being recorded.
type: long
-
rsa.misc.event_desc
-
This key is used to capture a description of an event available directly or inferred
type: keyword
-
rsa.misc.sig_id1
-
This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id
type: long
-
rsa.misc.im_buddyid
-
type: keyword
-
rsa.misc.im_client
-
type: keyword
-
rsa.misc.im_userid
-
type: keyword
-
rsa.misc.pid
-
type: keyword
-
rsa.misc.priority
-
type: keyword
-
rsa.misc.context_subject
-
This key is to be used in an audit context where the subject is the object being identified
type: keyword
-
rsa.misc.context_target
-
type: keyword
-
rsa.misc.cve
-
This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.
type: keyword
-
rsa.misc.fcatnum
-
This key captures Filter Category Number. Legacy Usage
type: keyword
-
rsa.misc.library
-
This key is used to capture library information in mainframe devices
type: keyword
-
rsa.misc.parent_node
-
This key captures the Parent Node Name. Must be related to node variable.
type: keyword
-
rsa.misc.risk_info
-
Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)
type: keyword
-
rsa.misc.tcp_flags
-
This key is captures the TCP flags set in any packet of session
type: long
-
rsa.misc.tos
-
This key describes the type of service
type: long
-
rsa.misc.vm_target
-
VMWare Target VMWARE only varaible.
type: keyword
-
rsa.misc.workspace
-
This key captures Workspace Description
type: keyword
-
rsa.misc.command
-
type: keyword
-
rsa.misc.event_category
-
type: keyword
-
rsa.misc.facilityname
-
type: keyword
-
rsa.misc.forensic_info
-
type: keyword
-
rsa.misc.jobname
-
type: keyword
-
rsa.misc.mode
-
type: keyword
-
rsa.misc.policy
-
type: keyword
-
rsa.misc.policy_waiver
-
type: keyword
-
rsa.misc.second
-
type: keyword
-
rsa.misc.space1
-
type: keyword
-
rsa.misc.subcategory
-
type: keyword
-
rsa.misc.tbdstr2
-
type: keyword
-
rsa.misc.alert_id
-
Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)
type: keyword
-
rsa.misc.checksum_dst
-
This key is used to capture the checksum or hash of the the target entity such as a process or file.
type: keyword
-
rsa.misc.checksum_src
-
This key is used to capture the checksum or hash of the source entity such as a file or process.
type: keyword
-
rsa.misc.fresult
-
This key captures the Filter Result
type: long
-
rsa.misc.payload_dst
-
This key is used to capture destination payload
type: keyword
-
rsa.misc.payload_src
-
This key is used to capture source payload
type: keyword
-
rsa.misc.pool_id
-
This key captures the identifier (typically numeric field) of a resource pool
type: keyword
-
rsa.misc.process_id_val
-
This key is a failure key for Process ID when it is not an integer value
type: keyword
-
rsa.misc.risk_num_comm
-
This key captures Risk Number Community
type: double
-
rsa.misc.risk_num_next
-
This key captures Risk Number NextGen
type: double
-
rsa.misc.risk_num_sand
-
This key captures Risk Number SandBox
type: double
-
rsa.misc.risk_num_static
-
This key captures Risk Number Static
type: double
-
rsa.misc.risk_suspicious
-
Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)
type: keyword
-
rsa.misc.risk_warning
-
Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)
type: keyword
-
rsa.misc.snmp_oid
-
SNMP Object Identifier
type: keyword
-
rsa.misc.sql
-
This key captures the SQL query
type: keyword
-
rsa.misc.vuln_ref
-
This key captures the Vulnerability Reference details
type: keyword
-
rsa.misc.acl_id
-
type: keyword
-
rsa.misc.acl_op
-
type: keyword
-
rsa.misc.acl_pos
-
type: keyword
-
rsa.misc.acl_table
-
type: keyword
-
rsa.misc.admin
-
type: keyword
-
rsa.misc.alarm_id
-
type: keyword
-
rsa.misc.alarmname
-
type: keyword
-
rsa.misc.app_id
-
type: keyword
-
rsa.misc.audit
-
type: keyword
-
rsa.misc.audit_object
-
type: keyword
-
rsa.misc.auditdata
-
type: keyword
-
rsa.misc.benchmark
-
type: keyword
-
rsa.misc.bypass
-
type: keyword
-
rsa.misc.cache
-
type: keyword
-
rsa.misc.cache_hit
-
type: keyword
-
rsa.misc.cefversion
-
type: keyword
-
rsa.misc.cfg_attr
-
type: keyword
-
rsa.misc.cfg_obj
-
type: keyword
-
rsa.misc.cfg_path
-
type: keyword
-
rsa.misc.changes
-
type: keyword
-
rsa.misc.client_ip
-
type: keyword
-
rsa.misc.clustermembers
-
type: keyword
-
rsa.misc.cn_acttimeout
-
type: keyword
-
rsa.misc.cn_asn_src
-
type: keyword
-
rsa.misc.cn_bgpv4nxthop
-
type: keyword
-
rsa.misc.cn_ctr_dst_code
-
type: keyword
-
rsa.misc.cn_dst_tos
-
type: keyword
-
rsa.misc.cn_dst_vlan
-
type: keyword
-
rsa.misc.cn_engine_id
-
type: keyword
-
rsa.misc.cn_engine_type
-
type: keyword
-
rsa.misc.cn_f_switch
-
type: keyword
-
rsa.misc.cn_flowsampid
-
type: keyword
-
rsa.misc.cn_flowsampintv
-
type: keyword
-
rsa.misc.cn_flowsampmode
-
type: keyword
-
rsa.misc.cn_inacttimeout
-
type: keyword
-
rsa.misc.cn_inpermbyts
-
type: keyword
-
rsa.misc.cn_inpermpckts
-
type: keyword
-
rsa.misc.cn_invalid
-
type: keyword
-
rsa.misc.cn_ip_proto_ver
-
type: keyword
-
rsa.misc.cn_ipv4_ident
-
type: keyword
-
rsa.misc.cn_l_switch
-
type: keyword
-
rsa.misc.cn_log_did
-
type: keyword
-
rsa.misc.cn_log_rid
-
type: keyword
-
rsa.misc.cn_max_ttl
-
type: keyword
-
rsa.misc.cn_maxpcktlen
-
type: keyword
-
rsa.misc.cn_min_ttl
-
type: keyword
-
rsa.misc.cn_minpcktlen
-
type: keyword
-
rsa.misc.cn_mpls_lbl_1
-
type: keyword
-
rsa.misc.cn_mpls_lbl_10
-
type: keyword
-
rsa.misc.cn_mpls_lbl_2
-
type: keyword
-
rsa.misc.cn_mpls_lbl_3
-
type: keyword
-
rsa.misc.cn_mpls_lbl_4
-
type: keyword
-
rsa.misc.cn_mpls_lbl_5
-
type: keyword
-
rsa.misc.cn_mpls_lbl_6
-
type: keyword
-
rsa.misc.cn_mpls_lbl_7
-
type: keyword
-
rsa.misc.cn_mpls_lbl_8
-
type: keyword
-
rsa.misc.cn_mpls_lbl_9
-
type: keyword
-
rsa.misc.cn_mplstoplabel
-
type: keyword
-
rsa.misc.cn_mplstoplabip
-
type: keyword
-
rsa.misc.cn_mul_dst_byt
-
type: keyword
-
rsa.misc.cn_mul_dst_pks
-
type: keyword
-
rsa.misc.cn_muligmptype
-
type: keyword
-
rsa.misc.cn_sampalgo
-
type: keyword
-
rsa.misc.cn_sampint
-
type: keyword
-
rsa.misc.cn_seqctr
-
type: keyword
-
rsa.misc.cn_spackets
-
type: keyword
-
rsa.misc.cn_src_tos
-
type: keyword
-
rsa.misc.cn_src_vlan
-
type: keyword
-
rsa.misc.cn_sysuptime
-
type: keyword
-
rsa.misc.cn_template_id
-
type: keyword
-
rsa.misc.cn_totbytsexp
-
type: keyword
-
rsa.misc.cn_totflowexp
-
type: keyword
-
rsa.misc.cn_totpcktsexp
-
type: keyword
-
rsa.misc.cn_unixnanosecs
-
type: keyword
-
rsa.misc.cn_v6flowlabel
-
type: keyword
-
rsa.misc.cn_v6optheaders
-
type: keyword
-
rsa.misc.comp_class
-
type: keyword
-
rsa.misc.comp_name
-
type: keyword
-
rsa.misc.comp_rbytes
-
type: keyword
-
rsa.misc.comp_sbytes
-
type: keyword
-
rsa.misc.cpu_data
-
type: keyword
-
rsa.misc.criticality
-
type: keyword
-
rsa.misc.cs_agency_dst
-
type: keyword
-
rsa.misc.cs_analyzedby
-
type: keyword
-
rsa.misc.cs_av_other
-
type: keyword
-
rsa.misc.cs_av_primary
-
type: keyword
-
rsa.misc.cs_av_secondary
-
type: keyword
-
rsa.misc.cs_bgpv6nxthop
-
type: keyword
-
rsa.misc.cs_bit9status
-
type: keyword
-
rsa.misc.cs_context
-
type: keyword
-
rsa.misc.cs_control
-
type: keyword
-
rsa.misc.cs_data
-
type: keyword
-
rsa.misc.cs_datecret
-
type: keyword
-
rsa.misc.cs_dst_tld
-
type: keyword
-
rsa.misc.cs_eth_dst_ven
-
type: keyword
-
rsa.misc.cs_eth_src_ven
-
type: keyword
-
rsa.misc.cs_event_uuid
-
type: keyword
-
rsa.misc.cs_filetype
-
type: keyword
-
rsa.misc.cs_fld
-
type: keyword
-
rsa.misc.cs_if_desc
-
type: keyword
-
rsa.misc.cs_if_name
-
type: keyword
-
rsa.misc.cs_ip_next_hop
-
type: keyword
-
rsa.misc.cs_ipv4dstpre
-
type: keyword
-
rsa.misc.cs_ipv4srcpre
-
type: keyword
-
rsa.misc.cs_lifetime
-
type: keyword
-
rsa.misc.cs_log_medium
-
type: keyword
-
rsa.misc.cs_loginname
-
type: keyword
-
rsa.misc.cs_modulescore
-
type: keyword
-
rsa.misc.cs_modulesign
-
type: keyword
-
rsa.misc.cs_opswatresult
-
type: keyword
-
rsa.misc.cs_payload
-
type: keyword
-
rsa.misc.cs_registrant
-
type: keyword
-
rsa.misc.cs_registrar
-
type: keyword
-
rsa.misc.cs_represult
-
type: keyword
-
rsa.misc.cs_rpayload
-
type: keyword
-
rsa.misc.cs_sampler_name
-
type: keyword
-
rsa.misc.cs_sourcemodule
-
type: keyword
-
rsa.misc.cs_streams
-
type: keyword
-
rsa.misc.cs_targetmodule
-
type: keyword
-
rsa.misc.cs_v6nxthop
-
type: keyword
-
rsa.misc.cs_whois_server
-
type: keyword
-
rsa.misc.cs_yararesult
-
type: keyword
-
rsa.misc.description
-
type: keyword
-
rsa.misc.devvendor
-
type: keyword
-
rsa.misc.distance
-
type: keyword
-
rsa.misc.dstburb
-
type: keyword
-
rsa.misc.edomain
-
type: keyword
-
rsa.misc.edomaub
-
type: keyword
-
rsa.misc.euid
-
type: keyword
-
rsa.misc.facility
-
type: keyword
-
rsa.misc.finterface
-
type: keyword
-
rsa.misc.flags
-
type: keyword
-
rsa.misc.gaddr
-
type: keyword
-
rsa.misc.id3
-
type: keyword
-
rsa.misc.im_buddyname
-
type: keyword
-
rsa.misc.im_croomid
-
type: keyword
-
rsa.misc.im_croomtype
-
type: keyword
-
rsa.misc.im_members
-
type: keyword
-
rsa.misc.im_username
-
type: keyword
-
rsa.misc.ipkt
-
type: keyword
-
rsa.misc.ipscat
-
type: keyword
-
rsa.misc.ipspri
-
type: keyword
-
rsa.misc.latitude
-
type: keyword
-
rsa.misc.linenum
-
type: keyword
-
rsa.misc.list_name
-
type: keyword
-
rsa.misc.load_data
-
type: keyword
-
rsa.misc.location_floor
-
type: keyword
-
rsa.misc.location_mark
-
type: keyword
-
rsa.misc.log_id
-
type: keyword
-
rsa.misc.log_type
-
type: keyword
-
rsa.misc.logid
-
type: keyword
-
rsa.misc.logip
-
type: keyword
-
rsa.misc.logname
-
type: keyword
-
rsa.misc.longitude
-
type: keyword
-
rsa.misc.lport
-
type: keyword
-
rsa.misc.mbug_data
-
type: keyword
-
rsa.misc.misc_name
-
type: keyword
-
rsa.misc.msg_type
-
type: keyword
-
rsa.misc.msgid
-
type: keyword
-
rsa.misc.netsessid
-
type: keyword
-
rsa.misc.num
-
type: keyword
-
rsa.misc.number1
-
type: keyword
-
rsa.misc.number2
-
type: keyword
-
rsa.misc.nwwn
-
type: keyword
-
rsa.misc.object
-
type: keyword
-
rsa.misc.operation
-
type: keyword
-
rsa.misc.opkt
-
type: keyword
-
rsa.misc.orig_from
-
type: keyword
-
rsa.misc.owner_id
-
type: keyword
-
rsa.misc.p_action
-
type: keyword
-
rsa.misc.p_filter
-
type: keyword
-
rsa.misc.p_group_object
-
type: keyword
-
rsa.misc.p_id
-
type: keyword
-
rsa.misc.p_msgid1
-
type: keyword
-
rsa.misc.p_msgid2
-
type: keyword
-
rsa.misc.p_result1
-
type: keyword
-
rsa.misc.password_chg
-
type: keyword
-
rsa.misc.password_expire
-
type: keyword
-
rsa.misc.permgranted
-
type: keyword
-
rsa.misc.permwanted
-
type: keyword
-
rsa.misc.pgid
-
type: keyword
-
rsa.misc.policyUUID
-
type: keyword
-
rsa.misc.prog_asp_num
-
type: keyword
-
rsa.misc.program
-
type: keyword
-
rsa.misc.real_data
-
type: keyword
-
rsa.misc.rec_asp_device
-
type: keyword
-
rsa.misc.rec_asp_num
-
type: keyword
-
rsa.misc.rec_library
-
type: keyword
-
rsa.misc.recordnum
-
type: keyword
-
rsa.misc.ruid
-
type: keyword
-
rsa.misc.sburb
-
type: keyword
-
rsa.misc.sdomain_fld
-
type: keyword
-
rsa.misc.sec
-
type: keyword
-
rsa.misc.sensorname
-
type: keyword
-
rsa.misc.seqnum
-
type: keyword
-
rsa.misc.session
-
type: keyword
-
rsa.misc.sessiontype
-
type: keyword
-
rsa.misc.sigUUID
-
type: keyword
-
rsa.misc.spi
-
type: keyword
-
rsa.misc.srcburb
-
type: keyword
-
rsa.misc.srcdom
-
type: keyword
-
rsa.misc.srcservice
-
type: keyword
-
rsa.misc.state
-
type: keyword
-
rsa.misc.status1
-
type: keyword
-
rsa.misc.svcno
-
type: keyword
-
rsa.misc.system
-
type: keyword
-
rsa.misc.tbdstr1
-
type: keyword
-
rsa.misc.tgtdom
-
type: keyword
-
rsa.misc.tgtdomain
-
type: keyword
-
rsa.misc.threshold
-
type: keyword
-
rsa.misc.type1
-
type: keyword
-
rsa.misc.udb_class
-
type: keyword
-
rsa.misc.url_fld
-
type: keyword
-
rsa.misc.user_div
-
type: keyword
-
rsa.misc.userid
-
type: keyword
-
rsa.misc.username_fld
-
type: keyword
-
rsa.misc.utcstamp
-
type: keyword
-
rsa.misc.v_instafname
-
type: keyword
-
rsa.misc.virt_data
-
type: keyword
-
rsa.misc.vpnid
-
type: keyword
-
rsa.misc.autorun_type
-
This is used to capture Auto Run type
type: keyword
-
rsa.misc.cc_number
-
Valid Credit Card Numbers only
type: long
-
rsa.misc.content
-
This key captures the content type from protocol headers
type: keyword
-
rsa.misc.ein_number
-
Employee Identification Numbers only
type: long
-
rsa.misc.found
-
This is used to capture the results of regex match
type: keyword
-
rsa.misc.language
-
This is used to capture list of languages the client support and what it prefers
type: keyword
-
rsa.misc.lifetime
-
This key is used to capture the session lifetime in seconds.
type: long
-
rsa.misc.link
-
This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
type: keyword
-
rsa.misc.match
-
This key is for regex match name from search.ini
type: keyword
-
rsa.misc.param_dst
-
This key captures the command line/launch argument of the target process or file
type: keyword
-
rsa.misc.param_src
-
This key captures source parameter
type: keyword
-
rsa.misc.search_text
-
This key captures the Search Text used
type: keyword
-
rsa.misc.sig_name
-
This key is used to capture the Signature Name only.
type: keyword
-
rsa.misc.snmp_value
-
SNMP set request value
type: keyword
-
rsa.misc.streams
-
This key captures number of streams in session
type: long
-
rsa.db.index
-
This key captures IndexID of the index.
type: keyword
-
rsa.db.instance
-
This key is used to capture the database server instance name
type: keyword
-
rsa.db.database
-
This key is used to capture the name of a database or an instance as seen in a session
type: keyword
-
rsa.db.transact_id
-
This key captures the SQL transantion ID of the current session
type: keyword
-
rsa.db.permissions
-
This key captures permission or privilege level assigned to a resource.
type: keyword
-
rsa.db.table_name
-
This key is used to capture the table name
type: keyword
-
rsa.db.db_id
-
This key is used to capture the unique identifier for a database
type: keyword
-
rsa.db.db_pid
-
This key captures the process id of a connection with database server
type: long
-
rsa.db.lread
-
This key is used for the number of logical reads
type: long
-
rsa.db.lwrite
-
This key is used for the number of logical writes
type: long
-
rsa.db.pread
-
This key is used for the number of physical writes
type: long
-
rsa.network.alias_host
-
This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.
type: keyword
-
rsa.network.domain
-
type: keyword
-
rsa.network.host_dst
-
This key should only be used when it’s a Destination Hostname
type: keyword
-
rsa.network.network_service
-
This is used to capture layer 7 protocols/service names
type: keyword
-
rsa.network.interface
-
This key should be used when the source or destination context of an interface is not clear
type: keyword
-
rsa.network.network_port
-
Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)
type: long
-
rsa.network.eth_host
-
Deprecated, use alias.mac
type: keyword
-
rsa.network.sinterface
-
This key should only be used when it’s a Source Interface
type: keyword
-
rsa.network.dinterface
-
This key should only be used when it’s a Destination Interface
type: keyword
-
rsa.network.vlan
-
This key should only be used to capture the ID of the Virtual LAN
type: long
-
rsa.network.zone_src
-
This key should only be used when it’s a Source Zone.
type: keyword
-
rsa.network.zone
-
This key should be used when the source or destination context of a Zone is not clear
type: keyword
-
rsa.network.zone_dst
-
This key should only be used when it’s a Destination Zone.
type: keyword
-
rsa.network.gateway
-
This key is used to capture the IP Address of the gateway
type: keyword
-
rsa.network.icmp_type
-
This key is used to capture the ICMP type only
type: long
-
rsa.network.mask
-
This key is used to capture the device network IPmask.
type: keyword
-
rsa.network.icmp_code
-
This key is used to capture the ICMP code only
type: long
-
rsa.network.protocol_detail
-
This key should be used to capture additional protocol information
type: keyword
-
rsa.network.dmask
-
This key is used for Destionation Device network mask
type: keyword
-
rsa.network.port
-
This key should only be used to capture a Network Port when the directionality is not clear
type: long
-
rsa.network.smask
-
This key is used for capturing source Network Mask
type: keyword
-
rsa.network.netname
-
This key is used to capture the network name associated with an IP range. This is configured by the end user.
type: keyword
-
rsa.network.paddr
-
Deprecated
type: ip
-
rsa.network.faddr
-
type: keyword
-
rsa.network.lhost
-
type: keyword
-
rsa.network.origin
-
type: keyword
-
rsa.network.remote_domain_id
-
type: keyword
-
rsa.network.addr
-
type: keyword
-
rsa.network.dns_a_record
-
type: keyword
-
rsa.network.dns_ptr_record
-
type: keyword
-
rsa.network.fhost
-
type: keyword
-
rsa.network.fport
-
type: keyword
-
rsa.network.laddr
-
type: keyword
-
rsa.network.linterface
-
type: keyword
-
rsa.network.phost
-
type: keyword
-
rsa.network.ad_computer_dst
-
Deprecated, use host.dst
type: keyword
-
rsa.network.eth_type
-
This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only
type: long
-
rsa.network.ip_proto
-
This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI
type: long
-
rsa.network.dns_cname_record
-
type: keyword
-
rsa.network.dns_id
-
type: keyword
-
rsa.network.dns_opcode
-
type: keyword
-
rsa.network.dns_resp
-
type: keyword
-
rsa.network.dns_type
-
type: keyword
-
rsa.network.domain1
-
type: keyword
-
rsa.network.host_type
-
type: keyword
-
rsa.network.packet_length
-
type: keyword
-
rsa.network.host_orig
-
This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.
type: keyword
-
rsa.network.rpayload
-
This key is used to capture the total number of payload bytes seen in the retransmitted packets.
type: keyword
-
rsa.network.vlan_name
-
This key should only be used to capture the name of the Virtual LAN
type: keyword
-
rsa.investigations.ec_activity
-
This key captures the particular event activity(Ex:Logoff)
type: keyword
-
rsa.investigations.ec_theme
-
This key captures the Theme of a particular Event(Ex:Authentication)
type: keyword
-
rsa.investigations.ec_subject
-
This key captures the Subject of a particular Event(Ex:User)
type: keyword
-
rsa.investigations.ec_outcome
-
This key captures the outcome of a particular Event(Ex:Success)
type: keyword
-
rsa.investigations.event_cat
-
This key captures the Event category number
type: long
-
rsa.investigations.event_cat_name
-
This key captures the event category name corresponding to the event cat code
type: keyword
-
rsa.investigations.event_vcat
-
This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.
type: keyword
-
rsa.investigations.analysis_file
-
This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
type: keyword
-
rsa.investigations.analysis_service
-
This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
type: keyword
-
rsa.investigations.analysis_session
-
This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
type: keyword
-
rsa.investigations.boc
-
This is used to capture behaviour of compromise
type: keyword
-
rsa.investigations.eoc
-
This is used to capture Enablers of Compromise
type: keyword
-
rsa.investigations.inv_category
-
This used to capture investigation category
type: keyword
-
rsa.investigations.inv_context
-
This used to capture investigation context
type: keyword
-
rsa.investigations.ioc
-
This is key capture indicator of compromise
type: keyword
-
rsa.counters.dclass_c1
-
This is a generic counter key that should be used with the label dclass.c1.str only
type: long
-
rsa.counters.dclass_c2
-
This is a generic counter key that should be used with the label dclass.c2.str only
type: long
-
rsa.counters.event_counter
-
This is used to capture the number of times an event repeated
type: long
-
rsa.counters.dclass_r1
-
This is a generic ratio key that should be used with the label dclass.r1.str only
type: keyword
-
rsa.counters.dclass_c3
-
This is a generic counter key that should be used with the label dclass.c3.str only
type: long
-
rsa.counters.dclass_c1_str
-
This is a generic counter string key that should be used with the label dclass.c1 only
type: keyword
-
rsa.counters.dclass_c2_str
-
This is a generic counter string key that should be used with the label dclass.c2 only
type: keyword
-
rsa.counters.dclass_r1_str
-
This is a generic ratio string key that should be used with the label dclass.r1 only
type: keyword
-
rsa.counters.dclass_r2
-
This is a generic ratio key that should be used with the label dclass.r2.str only
type: keyword
-
rsa.counters.dclass_c3_str
-
This is a generic counter string key that should be used with the label dclass.c3 only
type: keyword
-
rsa.counters.dclass_r3
-
This is a generic ratio key that should be used with the label dclass.r3.str only
type: keyword
-
rsa.counters.dclass_r2_str
-
This is a generic ratio string key that should be used with the label dclass.r2 only
type: keyword
-
rsa.counters.dclass_r3_str
-
This is a generic ratio string key that should be used with the label dclass.r3 only
type: keyword
-
rsa.identity.auth_method
-
This key is used to capture authentication methods used only
type: keyword
-
rsa.identity.user_role
-
This key is used to capture the Role of a user only
type: keyword
-
rsa.identity.dn
-
X.500 (LDAP) Distinguished Name
type: keyword
-
rsa.identity.logon_type
-
This key is used to capture the type of logon method used.
type: keyword
-
rsa.identity.profile
-
This key is used to capture the user profile
type: keyword
-
rsa.identity.accesses
-
This key is used to capture actual privileges used in accessing an object
type: keyword
-
rsa.identity.realm
-
Radius realm or similar grouping of accounts
type: keyword
-
rsa.identity.user_sid_dst
-
This key captures Destination User Session ID
type: keyword
-
rsa.identity.dn_src
-
An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn
type: keyword
-
rsa.identity.org
-
This key captures the User organization
type: keyword
-
rsa.identity.dn_dst
-
An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn
type: keyword
-
rsa.identity.firstname
-
This key is for First Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.identity.lastname
-
This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.identity.user_dept
-
User’s Department Names only
type: keyword
-
rsa.identity.user_sid_src
-
This key captures Source User Session ID
type: keyword
-
rsa.identity.federated_sp
-
This key is the Federated Service Provider. This is the application requesting authentication.
type: keyword
-
rsa.identity.federated_idp
-
This key is the federated Identity Provider. This is the server providing the authentication.
type: keyword
-
rsa.identity.logon_type_desc
-
This key is used to capture the textual description of an integer logon type as stored in the meta key logon.type.
type: keyword
-
rsa.identity.middlename
-
This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.identity.password
-
This key is for Passwords seen in any session, plain text or encrypted
type: keyword
-
rsa.identity.host_role
-
This key should only be used to capture the role of a Host Machine
type: keyword
-
rsa.identity.ldap
-
This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context
type: keyword
-
rsa.identity.ldap_query
-
This key is the Search criteria from an LDAP search
type: keyword
-
rsa.identity.ldap_response
-
This key is to capture Results from an LDAP search
type: keyword
-
rsa.identity.owner
-
This is used to capture username the process or service is running as, the author of the task
type: keyword
-
rsa.identity.service_account
-
This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage
type: keyword
-
rsa.email.email_dst
-
This key is used to capture the Destination email address only, when the destination context is not clear use email
type: keyword
-
rsa.email.email_src
-
This key is used to capture the source email address only, when the source context is not clear use email
type: keyword
-
rsa.email.subject
-
This key is used to capture the subject string from an Email only.
type: keyword
-
rsa.email.email
-
This key is used to capture a generic email address where the source or destination context is not clear
type: keyword
-
rsa.email.trans_from
-
Deprecated key defined only in table map.
type: keyword
-
rsa.email.trans_to
-
Deprecated key defined only in table map.
type: keyword
-
rsa.file.privilege
-
Deprecated, use permissions
type: keyword
-
rsa.file.attachment
-
This key captures the attachment file name
type: keyword
-
rsa.file.filesystem
-
type: keyword
-
rsa.file.binary
-
Deprecated key defined only in table map.
type: keyword
-
rsa.file.filename_dst
-
This is used to capture name of the file targeted by the action
type: keyword
-
rsa.file.filename_src
-
This is used to capture name of the parent filename, the file which performed the action
type: keyword
-
rsa.file.filename_tmp
-
type: keyword
-
rsa.file.directory_dst
-
<span>This key is used to capture the directory of the target process or file</span>
type: keyword
-
rsa.file.directory_src
-
This key is used to capture the directory of the source process or file
type: keyword
-
rsa.file.file_entropy
-
This is used to capture entropy vale of a file
type: double
-
rsa.file.file_vendor
-
This is used to capture Company name of file located in version_info
type: keyword
-
rsa.file.task_name
-
This is used to capture name of the task
type: keyword
-
rsa.web.fqdn
-
Fully Qualified Domain Names
type: keyword
-
rsa.web.web_cookie
-
This key is used to capture the Web cookies specifically.
type: keyword
-
rsa.web.alias_host
-
type: keyword
-
rsa.web.reputation_num
-
Reputation Number of an entity. Typically used for Web Domains
type: double
-
rsa.web.web_ref_domain
-
Web referer’s domain
type: keyword
-
rsa.web.web_ref_query
-
This key captures Web referer’s query portion of the URL
type: keyword
-
rsa.web.remote_domain
-
type: keyword
-
rsa.web.web_ref_page
-
This key captures Web referer’s page information
type: keyword
-
rsa.web.web_ref_root
-
Web referer’s root URL path
type: keyword
-
rsa.web.cn_asn_dst
-
type: keyword
-
rsa.web.cn_rpackets
-
type: keyword
-
rsa.web.urlpage
-
type: keyword
-
rsa.web.urlroot
-
type: keyword
-
rsa.web.p_url
-
type: keyword
-
rsa.web.p_user_agent
-
type: keyword
-
rsa.web.p_web_cookie
-
type: keyword
-
rsa.web.p_web_method
-
type: keyword
-
rsa.web.p_web_referer
-
type: keyword
-
rsa.web.web_extension_tmp
-
type: keyword
-
rsa.web.web_page
-
type: keyword
-
rsa.threat.threat_category
-
This key captures Threat Name/Threat Category/Categorization of alert
type: keyword
-
rsa.threat.threat_desc
-
This key is used to capture the threat description from the session directly or inferred
type: keyword
-
rsa.threat.alert
-
This key is used to capture name of the alert
type: keyword
-
rsa.threat.threat_source
-
This key is used to capture source of the threat
type: keyword
-
rsa.crypto.crypto
-
This key is used to capture the Encryption Type or Encryption Key only
type: keyword
-
rsa.crypto.cipher_src
-
This key is for Source (Client) Cipher
type: keyword
-
rsa.crypto.cert_subject
-
This key is used to capture the Certificate organization only
type: keyword
-
rsa.crypto.peer
-
This key is for Encryption peer’s IP Address
type: keyword
-
rsa.crypto.cipher_size_src
-
This key captures Source (Client) Cipher Size
type: long
-
rsa.crypto.ike
-
IKE negotiation phase.
type: keyword
-
rsa.crypto.scheme
-
This key captures the Encryption scheme used
type: keyword
-
rsa.crypto.peer_id
-
This key is for Encryption peer’s identity
type: keyword
-
rsa.crypto.sig_type
-
This key captures the Signature Type
type: keyword
-
rsa.crypto.cert_issuer
-
type: keyword
-
rsa.crypto.cert_host_name
-
Deprecated key defined only in table map.
type: keyword
-
rsa.crypto.cert_error
-
This key captures the Certificate Error String
type: keyword
-
rsa.crypto.cipher_dst
-
This key is for Destination (Server) Cipher
type: keyword
-
rsa.crypto.cipher_size_dst
-
This key captures Destination (Server) Cipher Size
type: long
-
rsa.crypto.ssl_ver_src
-
Deprecated, use version
type: keyword
-
rsa.crypto.d_certauth
-
type: keyword
-
rsa.crypto.s_certauth
-
type: keyword
-
rsa.crypto.ike_cookie1
-
ID of the negotiation — sent for ISAKMP Phase One
type: keyword
-
rsa.crypto.ike_cookie2
-
ID of the negotiation — sent for ISAKMP Phase Two
type: keyword
-
rsa.crypto.cert_checksum
-
type: keyword
-
rsa.crypto.cert_host_cat
-
This key is used for the hostname category value of a certificate
type: keyword
-
rsa.crypto.cert_serial
-
This key is used to capture the Certificate serial number only
type: keyword
-
rsa.crypto.cert_status
-
This key captures Certificate validation status
type: keyword
-
rsa.crypto.ssl_ver_dst
-
Deprecated, use version
type: keyword
-
rsa.crypto.cert_keysize
-
type: keyword
-
rsa.crypto.cert_username
-
type: keyword
-
rsa.crypto.https_insact
-
type: keyword
-
rsa.crypto.https_valid
-
type: keyword
-
rsa.crypto.cert_ca
-
This key is used to capture the Certificate signing authority only
type: keyword
-
rsa.crypto.cert_common
-
This key is used to capture the Certificate common name only
type: keyword
-
rsa.wireless.wlan_ssid
-
This key is used to capture the ssid of a Wireless Session
type: keyword
-
rsa.wireless.access_point
-
This key is used to capture the access point name.
type: keyword
-
rsa.wireless.wlan_channel
-
This is used to capture the channel names
type: long
-
rsa.wireless.wlan_name
-
This key captures either WLAN number/name
type: keyword
-
rsa.storage.disk_volume
-
A unique name assigned to logical units (volumes) within a physical disk
type: keyword
-
rsa.storage.lun
-
Logical Unit Number.This key is a very useful concept in Storage.
type: keyword
-
rsa.storage.pwwn
-
This uniquely identifies a port on a HBA.
type: keyword
-
rsa.physical.org_dst
-
This is used to capture the destination organization based on the GEOPIP Maxmind database.
type: keyword
-
rsa.physical.org_src
-
This is used to capture the source organization based on the GEOPIP Maxmind database.
type: keyword
-
rsa.healthcare.patient_fname
-
This key is for First Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.healthcare.patient_id
-
This key captures the unique ID for a patient
type: keyword
-
rsa.healthcare.patient_lname
-
This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.healthcare.patient_mname
-
This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information
type: keyword
-
rsa.endpoint.host_state
-
This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on
type: keyword
-
rsa.endpoint.registry_key
-
This key captures the path to the registry key
type: keyword
-
rsa.endpoint.registry_value
-
This key captures values or decorators used within a registry entry
type: keyword
Fields from fortinet FortiOS
-
fortinet.file.hash.crc32
-
CRC32 Hash of file
type: keyword
Module for parsing Fortinet syslog.
-
fortinet.firewall.acct_stat
-
Accounting state (RADIUS)
type: keyword
-
fortinet.firewall.acktime
-
Alarm Acknowledge Time
type: keyword
-
fortinet.firewall.act
-
Action
type: keyword
-
fortinet.firewall.action
-
Status of the session
type: keyword
-
fortinet.firewall.activity
-
HA activity message
type: keyword
-
fortinet.firewall.addr
-
IP Address
type: ip
-
fortinet.firewall.addr_type
-
Address Type
type: keyword
-
fortinet.firewall.addrgrp
-
Address Group
type: keyword
-
fortinet.firewall.adgroup
-
AD Group Name
type: keyword
-
fortinet.firewall.admin
-
Admin User
type: keyword
-
fortinet.firewall.age
-
Time in seconds - time passed since last seen
type: integer
-
fortinet.firewall.agent
-
User agent - eg. agent="Mozilla/5.0"
type: keyword
-
fortinet.firewall.alarmid
-
Alarm ID
type: integer
-
fortinet.firewall.alert
-
Alert
type: keyword
-
fortinet.firewall.analyticscksum
-
The checksum of the file submitted for analytics
type: keyword
-
fortinet.firewall.analyticssubmit
-
The flag for analytics submission
type: keyword
-
fortinet.firewall.ap
-
Access Point
type: keyword
-
fortinet.firewall.app-type
-
Address Type
type: keyword
-
fortinet.firewall.appact
-
The security action from app control
type: keyword
-
fortinet.firewall.appid
-
Application ID
type: integer
-
fortinet.firewall.applist
-
Application Control profile
type: keyword
-
fortinet.firewall.apprisk
-
Application Risk Level
type: keyword
-
fortinet.firewall.apscan
-
The name of the AP, which scanned and detected the rogue AP
type: keyword
-
fortinet.firewall.apsn
-
Access Point
type: keyword
-
fortinet.firewall.apstatus
-
Access Point status
type: keyword
-
fortinet.firewall.aptype
-
Access Point type
type: keyword
-
fortinet.firewall.assigned
-
Assigned IP Address
type: ip
-
fortinet.firewall.assignip
-
Assigned IP Address
type: ip
-
fortinet.firewall.attachment
-
The flag for email attachement
type: keyword
-
fortinet.firewall.attack
-
Attack Name
type: keyword
-
fortinet.firewall.attackcontext
-
The trigger patterns and the packetdata with base64 encoding
type: keyword
-
fortinet.firewall.attackcontextid
-
Attack context id / total
type: keyword
-
fortinet.firewall.attackid
-
Attack ID
type: integer
-
fortinet.firewall.auditid
-
Audit ID
type: long
-
fortinet.firewall.auditscore
-
The Audit Score
type: keyword
-
fortinet.firewall.audittime
-
The time of the audit
type: long
-
fortinet.firewall.authgrp
-
Authorization Group
type: keyword
-
fortinet.firewall.authid
-
Authentication ID
type: keyword
-
fortinet.firewall.authproto
-
The protocol that initiated the authentication
type: keyword
-
fortinet.firewall.authserver
-
Authentication server
type: keyword
-
fortinet.firewall.bandwidth
-
Bandwidth
type: keyword
-
fortinet.firewall.banned_rule
-
NAC quarantine Banned Rule Name
type: keyword
-
fortinet.firewall.banned_src
-
NAC quarantine Banned Source IP
type: keyword
-
fortinet.firewall.banword
-
Banned word
type: keyword
-
fortinet.firewall.botnetdomain
-
Botnet Domain Name
type: keyword
-
fortinet.firewall.botnetip
-
Botnet IP Address
type: ip
-
fortinet.firewall.bssid
-
Service Set ID
type: keyword
-
fortinet.firewall.call_id
-
Caller ID
type: keyword
-
fortinet.firewall.carrier_ep
-
The FortiOS Carrier end-point identification
type: keyword
-
fortinet.firewall.cat
-
DNS category ID
type: integer
-
fortinet.firewall.category
-
Authentication category
type: keyword
-
fortinet.firewall.cc
-
CC Email Address
type: keyword
-
fortinet.firewall.cdrcontent
-
Cdrcontent
type: keyword
-
fortinet.firewall.centralnatid
-
Central NAT ID
type: integer
-
fortinet.firewall.cert
-
Certificate
type: keyword
-
fortinet.firewall.cert-type
-
Certificate type
type: keyword
-
fortinet.firewall.certhash
-
Certificate hash
type: keyword
-
fortinet.firewall.cfgattr
-
Configuration attribute
type: keyword
-
fortinet.firewall.cfgobj
-
Configuration object
type: keyword
-
fortinet.firewall.cfgpath
-
Configuration path
type: keyword
-
fortinet.firewall.cfgtid
-
Configuration transaction ID
type: keyword
-
fortinet.firewall.cfgtxpower
-
Configuration TX power
type: integer
-
fortinet.firewall.channel
-
Wireless Channel
type: integer
-
fortinet.firewall.channeltype
-
SSH channel type
type: keyword
-
fortinet.firewall.chassisid
-
Chassis ID
type: integer
-
fortinet.firewall.checksum
-
The checksum of the scanned file
type: keyword
-
fortinet.firewall.chgheaders
-
HTTP Headers
type: keyword
-
fortinet.firewall.cldobjid
-
Connector object ID
type: keyword
-
fortinet.firewall.client_addr
-
Wifi client address
type: keyword
-
fortinet.firewall.cloudaction
-
Cloud Action
type: keyword
-
fortinet.firewall.clouduser
-
Cloud User
type: keyword
-
fortinet.firewall.column
-
VOIP Column
type: integer
-
fortinet.firewall.command
-
CLI Command
type: keyword
-
fortinet.firewall.community
-
SNMP Community
type: keyword
-
fortinet.firewall.configcountry
-
Configuration country
type: keyword
-
fortinet.firewall.connection_type
-
FortiClient Connection Type
type: keyword
-
fortinet.firewall.conserve
-
Flag for conserve mode
type: keyword
-
fortinet.firewall.constraint
-
WAF http protocol restrictions
type: keyword
-
fortinet.firewall.contentdisarmed
-
Email scanned content
type: keyword
-
fortinet.firewall.contenttype
-
Content Type from HTTP header
type: keyword
-
fortinet.firewall.cookies
-
VPN Cookie
type: keyword
-
fortinet.firewall.count
-
Counts of action type
type: integer
-
fortinet.firewall.countapp
-
Number of App Ctrl logs associated with the session
type: integer
-
fortinet.firewall.countav
-
Number of AV logs associated with the session
type: integer
-
fortinet.firewall.countcifs
-
Number of CIFS logs associated with the session
type: integer
-
fortinet.firewall.countdlp
-
Number of DLP logs associated with the session
type: integer
-
fortinet.firewall.countdns
-
Number of DNS logs associated with the session
type: integer
-
fortinet.firewall.countemail
-
Number of email logs associated with the session
type: integer
-
fortinet.firewall.countff
-
Number of ff logs associated with the session
type: integer
-
fortinet.firewall.countips
-
Number of IPS logs associated with the session
type: integer
-
fortinet.firewall.countssh
-
Number of SSH logs associated with the session
type: integer
-
fortinet.firewall.countssl
-
Number of SSL logs associated with the session
type: integer
-
fortinet.firewall.countwaf
-
Number of WAF logs associated with the session
type: integer
-
fortinet.firewall.countweb
-
Number of Web filter logs associated with the session
type: integer
-
fortinet.firewall.cpu
-
CPU Usage
type: integer
-
fortinet.firewall.craction
-
Client Reputation Action
type: integer
-
fortinet.firewall.criticalcount
-
Number of critical ratings
type: integer
-
fortinet.firewall.crl
-
Client Reputation Level
type: keyword
-
fortinet.firewall.crlevel
-
Client Reputation Level
type: keyword
-
fortinet.firewall.crscore
-
Some description
type: integer
-
fortinet.firewall.cveid
-
CVE ID
type: keyword
-
fortinet.firewall.daemon
-
Daemon name
type: keyword
-
fortinet.firewall.datarange
-
Data range for reports
type: keyword
-
fortinet.firewall.date
-
Date
type: keyword
-
fortinet.firewall.ddnsserver
-
DDNS server
type: ip
-
fortinet.firewall.desc
-
Description
type: keyword
-
fortinet.firewall.detectionmethod
-
Detection method
type: keyword
-
fortinet.firewall.devcategory
-
Device category
type: keyword
-
fortinet.firewall.devintfname
-
HA device Interface Name
type: keyword
-
fortinet.firewall.devtype
-
Device type
type: keyword
-
fortinet.firewall.dhcp_msg
-
DHCP Message
type: keyword
-
fortinet.firewall.dintf
-
Destination interface
type: keyword
-
fortinet.firewall.disk
-
Assosciated disk
type: keyword
-
fortinet.firewall.disklograte
-
Disk logging rate
type: long
-
fortinet.firewall.dlpextra
-
DLP extra information
type: keyword
-
fortinet.firewall.docsource
-
DLP fingerprint document source
type: keyword
-
fortinet.firewall.domainctrlauthstate
-
CIFS domain auth state
type: integer
-
fortinet.firewall.domainctrlauthtype
-
CIFS domain auth type
type: integer
-
fortinet.firewall.domainctrldomain
-
CIFS domain auth domain
type: keyword
-
fortinet.firewall.domainctrlip
-
CIFS Domain IP
type: ip
-
fortinet.firewall.domainctrlname
-
CIFS Domain name
type: keyword
-
fortinet.firewall.domainctrlprotocoltype
-
CIFS Domain connection protocol
type: integer
-
fortinet.firewall.domainctrlusername
-
CIFS Domain username
type: keyword
-
fortinet.firewall.domainfilteridx
-
Domain filter ID
type: integer
-
fortinet.firewall.domainfilterlist
-
Domain filter name
type: keyword
-
fortinet.firewall.ds
-
Direction with distribution system
type: keyword
-
fortinet.firewall.dst_int
-
Destination interface
type: keyword
-
fortinet.firewall.dstintfrole
-
Destination interface role
type: keyword
-
fortinet.firewall.dstcountry
-
Destination country
type: keyword
-
fortinet.firewall.dstdevcategory
-
Destination device category
type: keyword
-
fortinet.firewall.dstdevtype
-
Destination device type
type: keyword
-
fortinet.firewall.dstfamily
-
Destination OS family
type: keyword
-
fortinet.firewall.dsthwvendor
-
Destination HW vendor
type: keyword
-
fortinet.firewall.dsthwversion
-
Destination HW version
type: keyword
-
fortinet.firewall.dstinetsvc
-
Destination interface service
type: keyword
-
fortinet.firewall.dstosname
-
Destination OS name
type: keyword
-
fortinet.firewall.dstosversion
-
Destination OS version
type: keyword
-
fortinet.firewall.dstserver
-
Destination server
type: integer
-
fortinet.firewall.dstssid
-
Destination SSID
type: keyword
-
fortinet.firewall.dstswversion
-
Destination software version
type: keyword
-
fortinet.firewall.dstunauthusersource
-
Destination unauthenticated source
type: keyword
-
fortinet.firewall.dstuuid
-
UUID of the Destination IP address
type: keyword
-
fortinet.firewall.duid
-
DHCP UID
type: keyword
-
fortinet.firewall.eapolcnt
-
EAPOL packet count
type: integer
-
fortinet.firewall.eapoltype
-
EAPOL packet type
type: keyword
-
fortinet.firewall.encrypt
-
Whether the packet is encrypted or not
type: integer
-
fortinet.firewall.encryption
-
Encryption method
type: keyword
-
fortinet.firewall.epoch
-
Epoch used for locating file
type: integer
-
fortinet.firewall.espauth
-
ESP Authentication
type: keyword
-
fortinet.firewall.esptransform
-
ESP Transform
type: keyword
-
fortinet.firewall.eventtype
-
UTM Event Type
type: keyword
-
fortinet.firewall.exch
-
Mail Exchanges from DNS response answer section
type: keyword
-
fortinet.firewall.exchange
-
Mail Exchanges from DNS response answer section
type: keyword
-
fortinet.firewall.expectedsignature
-
Expected SSL signature
type: keyword
-
fortinet.firewall.expiry
-
FortiGuard override expiry timestamp
type: keyword
-
fortinet.firewall.fams_pause
-
Fortinet Analysis and Management Service Pause
type: integer
-
fortinet.firewall.fazlograte
-
FortiAnalyzer Logging Rate
type: long
-
fortinet.firewall.fctemssn
-
FortiClient Endpoint SSN
type: keyword
-
fortinet.firewall.fctuid
-
FortiClient UID
type: keyword
-
fortinet.firewall.field
-
NTP status field
type: keyword
-
fortinet.firewall.filefilter
-
The filter used to identify the affected file
type: keyword
-
fortinet.firewall.filehashsrc
-
Filehash source
type: keyword
-
fortinet.firewall.filtercat
-
DLP filter category
type: keyword
-
fortinet.firewall.filteridx
-
DLP filter ID
type: integer
-
fortinet.firewall.filtername
-
DLP rule name
type: keyword
-
fortinet.firewall.filtertype
-
DLP filter type
type: keyword
-
fortinet.firewall.fortiguardresp
-
Antispam ESP value
type: keyword
-
fortinet.firewall.forwardedfor
-
Email address forwarded
type: keyword
-
fortinet.firewall.fqdn
-
FQDN
type: keyword
-
fortinet.firewall.frametype
-
Wireless frametype
type: keyword
-
fortinet.firewall.freediskstorage
-
Free disk integer
type: integer
-
fortinet.firewall.from
-
From email address
type: keyword
-
fortinet.firewall.from_vcluster
-
Source virtual cluster number
type: integer
-
fortinet.firewall.fsaverdict
-
FSA verdict
type: keyword
-
fortinet.firewall.fwserver_name
-
Web proxy server name
type: keyword
-
fortinet.firewall.gateway
-
Gateway ip address for PPPoE status report
type: ip
-
fortinet.firewall.green
-
Memory status
type: keyword
-
fortinet.firewall.groupid
-
User Group ID
type: integer
-
fortinet.firewall.ha-prio
-
HA Priority
type: integer
-
fortinet.firewall.ha_group
-
HA Group
type: keyword
-
fortinet.firewall.ha_role
-
HA Role
type: keyword
-
fortinet.firewall.handshake
-
SSL Handshake
type: keyword
-
fortinet.firewall.hash
-
Hash value of downloaded file
type: keyword
-
fortinet.firewall.hbdn_reason
-
Heartbeat down reason
type: keyword
-
fortinet.firewall.highcount
-
Highcount fabric summary
type: integer
-
fortinet.firewall.host
-
Hostname
type: keyword
-
fortinet.firewall.iaid
-
DHCPv6 id
type: keyword
-
fortinet.firewall.icmpcode
-
Destination Port of the ICMP message
type: keyword
-
fortinet.firewall.icmpid
-
Source port of the ICMP message
type: keyword
-
fortinet.firewall.icmptype
-
The type of ICMP message
type: keyword
-
fortinet.firewall.identifier
-
Network traffic identifier
type: integer
-
fortinet.firewall.in_spi
-
IPSEC inbound SPI
type: keyword
-
fortinet.firewall.incidentserialno
-
Incident serial number
type: integer
-
fortinet.firewall.infected
-
Infected MMS
type: integer
-
fortinet.firewall.infectedfilelevel
-
DLP infected file level
type: integer
-
fortinet.firewall.informationsource
-
Information source
type: keyword
-
fortinet.firewall.init
-
IPSEC init stage
type: keyword
-
fortinet.firewall.initiator
-
Original login user name for Fortiguard override
type: keyword
-
fortinet.firewall.interface
-
Related interface
type: keyword
-
fortinet.firewall.intf
-
Related interface
type: keyword
-
fortinet.firewall.invalidmac
-
The MAC address with invalid OUI
type: keyword
-
fortinet.firewall.ip
-
Related IP
type: ip
-
fortinet.firewall.iptype
-
Related IP type
type: keyword
-
fortinet.firewall.keyword
-
Keyword used for search
type: keyword
-
fortinet.firewall.kind
-
VOIP kind
type: keyword
-
fortinet.firewall.lanin
-
LAN incoming traffic in bytes
type: long
-
fortinet.firewall.lanout
-
LAN outbound traffic in bytes
type: long
-
fortinet.firewall.lease
-
DHCP lease
type: integer
-
fortinet.firewall.license_limit
-
Maximum Number of FortiClients for the License
type: keyword
-
fortinet.firewall.limit
-
Virtual Domain Resource Limit
type: integer
-
fortinet.firewall.line
-
VOIP line
type: keyword
-
fortinet.firewall.live
-
Time in seconds
type: integer
-
fortinet.firewall.local
-
Local IP for a PPPD Connection
type: ip
-
fortinet.firewall.log
-
Log message
type: keyword
-
fortinet.firewall.login
-
SSH login
type: keyword
-
fortinet.firewall.lowcount
-
Fabric lowcount
type: integer
-
fortinet.firewall.mac
-
DHCP mac address
type: keyword
-
fortinet.firewall.malform_data
-
VOIP malformed data
type: integer
-
fortinet.firewall.malform_desc
-
VOIP malformed data description
type: keyword
-
fortinet.firewall.manuf
-
Manufacturer name
type: keyword
-
fortinet.firewall.masterdstmac
-
Master mac address for a host with multiple network interfaces
type: keyword
-
fortinet.firewall.mastersrcmac
-
The master MAC address for a host that has multiple network interfaces
type: keyword
-
fortinet.firewall.mediumcount
-
Fabric medium count
type: integer
-
fortinet.firewall.mem
-
Memory usage system statistics
type: integer
-
fortinet.firewall.meshmode
-
Wireless mesh mode
type: keyword
-
fortinet.firewall.message_type
-
VOIP message type
type: keyword
-
fortinet.firewall.method
-
HTTP method
type: keyword
-
fortinet.firewall.mgmtcnt
-
The number of unauthorized client flooding managemet frames
type: integer
-
fortinet.firewall.mode
-
IPSEC mode
type: keyword
-
fortinet.firewall.module
-
PCI-DSS module
type: keyword
-
fortinet.firewall.monitor-name
-
Health Monitor Name
type: keyword
-
fortinet.firewall.monitor-type
-
Health Monitor Type
type: keyword
-
fortinet.firewall.mpsk
-
Wireless MPSK
type: keyword
-
fortinet.firewall.msgproto
-
Message Protocol Number
type: keyword
-
fortinet.firewall.mtu
-
Max Transmission Unit Value
type: integer
-
fortinet.firewall.name
-
Name
type: keyword
-
fortinet.firewall.nat
-
NAT IP Address
type: keyword
-
fortinet.firewall.netid
-
Connector NetID
type: keyword
-
fortinet.firewall.new_status
-
New status on user change
type: keyword
-
fortinet.firewall.new_value
-
New Virtual Domain Name
type: keyword
-
fortinet.firewall.newchannel
-
New Channel Number
type: integer
-
fortinet.firewall.newchassisid
-
New Chassis ID
type: integer
-
fortinet.firewall.newslot
-
New Slot Number
type: integer
-
fortinet.firewall.nextstat
-
Time interval in seconds for the next statistics.
type: integer
-
fortinet.firewall.nf_type
-
Notification Type
type: keyword
-
fortinet.firewall.noise
-
Wifi Noise
type: integer
-
fortinet.firewall.old_status
-
Original Status
type: keyword
-
fortinet.firewall.old_value
-
Original Virtual Domain name
type: keyword
-
fortinet.firewall.oldchannel
-
Original channel
type: integer
-
fortinet.firewall.oldchassisid
-
Original Chassis Number
type: integer
-
fortinet.firewall.oldslot
-
Original Slot Number
type: integer
-
fortinet.firewall.oldsn
-
Old Serial number
type: keyword
-
fortinet.firewall.oldwprof
-
Old Web Filter Profile
type: keyword
-
fortinet.firewall.onwire
-
A flag to indicate if the AP is onwire or not
type: keyword
-
fortinet.firewall.opercountry
-
Operating Country
type: keyword
-
fortinet.firewall.opertxpower
-
Operating TX power
type: integer
-
fortinet.firewall.osname
-
Operating System name
type: keyword
-
fortinet.firewall.osversion
-
Operating System version
type: keyword
-
fortinet.firewall.out_spi
-
Out SPI
type: keyword
-
fortinet.firewall.outintf
-
Out interface
type: keyword
-
fortinet.firewall.passedcount
-
Fabric passed count
type: integer
-
fortinet.firewall.passwd
-
Changed user password information
type: keyword
-
fortinet.firewall.path
-
Path of looped configuration for security fabric
type: keyword
-
fortinet.firewall.peer
-
WAN optimization peer
type: keyword
-
fortinet.firewall.peer_notif
-
VPN peer notification
type: keyword
-
fortinet.firewall.phase2_name
-
VPN phase2 name
type: keyword
-
fortinet.firewall.phone
-
VOIP Phone
type: keyword
-
fortinet.firewall.pid
-
Process ID
type: integer
-
fortinet.firewall.policytype
-
Policy Type
type: keyword
-
fortinet.firewall.poolname
-
IP Pool name
type: keyword
-
fortinet.firewall.port
-
Log upload error port
type: integer
-
fortinet.firewall.portbegin
-
IP Pool port number to begin
type: integer
-
fortinet.firewall.portend
-
IP Pool port number to end
type: integer
-
fortinet.firewall.probeproto
-
Link Monitor Probe Protocol
type: keyword
-
fortinet.firewall.process
-
URL Filter process
type: keyword
-
fortinet.firewall.processtime
-
Process time for reports
type: integer
-
fortinet.firewall.profile
-
Profile Name
type: keyword
-
fortinet.firewall.profile_vd
-
Virtual Domain Name
type: keyword
-
fortinet.firewall.profilegroup
-
Profile Group Name
type: keyword
-
fortinet.firewall.profiletype
-
Profile Type
type: keyword
-
fortinet.firewall.qtypeval
-
DNS question type value
type: integer
-
fortinet.firewall.quarskip
-
Quarantine skip explanation
type: keyword
-
fortinet.firewall.quotaexceeded
-
If quota has been exceeded
type: keyword
-
fortinet.firewall.quotamax
-
Maximum quota allowed - in seconds if time-based - in bytes if traffic-based
type: long
-
fortinet.firewall.quotatype
-
Quota type
type: keyword
-
fortinet.firewall.quotaused
-
Quota used - in seconds if time-based - in bytes if trafficbased)
type: long
-
fortinet.firewall.radioband
-
Radio band
type: keyword
-
fortinet.firewall.radioid
-
Radio ID
type: integer
-
fortinet.firewall.radioidclosest
-
Radio ID on the AP closest the rogue AP
type: integer
-
fortinet.firewall.radioiddetected
-
Radio ID on the AP which detected the rogue AP
type: integer
-
fortinet.firewall.rate
-
Wireless rogue rate value
type: keyword
-
fortinet.firewall.rawdata
-
Raw data value
type: keyword
-
fortinet.firewall.rawdataid
-
Raw data ID
type: keyword
-
fortinet.firewall.rcvddelta
-
Received bytes delta
type: keyword
-
fortinet.firewall.reason
-
Alert reason
type: keyword
-
fortinet.firewall.received
-
Server key exchange received
type: integer
-
fortinet.firewall.receivedsignature
-
Server key exchange received signature
type: keyword
-
fortinet.firewall.red
-
Memory information in red
type: keyword
-
fortinet.firewall.referralurl
-
Web filter referralurl
type: keyword
-
fortinet.firewall.remote
-
Remote PPP IP address
type: ip
-
fortinet.firewall.remotewtptime
-
Remote Wifi Radius authentication time
type: keyword
-
fortinet.firewall.reporttype
-
Report type
type: keyword
-
fortinet.firewall.reqtype
-
Request type
type: keyword
-
fortinet.firewall.request_name
-
VOIP request name
type: keyword
-
fortinet.firewall.result
-
VPN phase result
type: keyword
-
fortinet.firewall.role
-
VPN Phase 2 role
type: keyword
-
fortinet.firewall.rssi
-
Received signal strength indicator
type: integer
-
fortinet.firewall.rsso_key
-
RADIUS SSO attribute value
type: keyword
-
fortinet.firewall.ruledata
-
Rule data
type: keyword
-
fortinet.firewall.ruletype
-
Rule type
type: keyword
-
fortinet.firewall.scanned
-
Number of Scanned MMSs
type: integer
-
fortinet.firewall.scantime
-
Scanned time
type: long
-
fortinet.firewall.scope
-
FortiGuard Override Scope
type: keyword
-
fortinet.firewall.security
-
Wireless rogue security
type: keyword
-
fortinet.firewall.sensitivity
-
Sensitivity for document fingerprint
type: keyword
-
fortinet.firewall.sensor
-
NAC Sensor Name
type: keyword
-
fortinet.firewall.sentdelta
-
Sent bytes delta
type: keyword
-
fortinet.firewall.seq
-
Sequence number
type: keyword
-
fortinet.firewall.serial
-
WAN optimisation serial
type: keyword
-
fortinet.firewall.serialno
-
Serial number
type: keyword
-
fortinet.firewall.server
-
AD server FQDN or IP
type: keyword
-
fortinet.firewall.session_id
-
Session ID
type: keyword
-
fortinet.firewall.sessionid
-
WAD Session ID
type: integer
-
fortinet.firewall.setuprate
-
Session Setup Rate
type: long
-
fortinet.firewall.severity
-
Severity
type: keyword
-
fortinet.firewall.shaperdroprcvdbyte
-
Received bytes dropped by shaper
type: integer
-
fortinet.firewall.shaperdropsentbyte
-
Sent bytes dropped by shaper
type: integer
-
fortinet.firewall.shaperperipdropbyte
-
Dropped bytes per IP by shaper
type: integer
-
fortinet.firewall.shaperperipname
-
Traffic shaper name (per IP)
type: keyword
-
fortinet.firewall.shaperrcvdname
-
Traffic shaper name for received traffic
type: keyword
-
fortinet.firewall.shapersentname
-
Traffic shaper name for sent traffic
type: keyword
-
fortinet.firewall.shapingpolicyid
-
Traffic shaper policy ID
type: integer
-
fortinet.firewall.signal
-
Wireless rogue API signal
type: integer
-
fortinet.firewall.size
-
Email size in bytes
type: long
-
fortinet.firewall.slot
-
Slot number
type: integer
-
fortinet.firewall.sn
-
Security fabric serial number
type: keyword
-
fortinet.firewall.snclosest
-
SN of the AP closest to the rogue AP
type: keyword
-
fortinet.firewall.sndetected
-
SN of the AP which detected the rogue AP
type: keyword
-
fortinet.firewall.snmeshparent
-
SN of the mesh parent
type: keyword
-
fortinet.firewall.spi
-
IPSEC SPI
type: keyword
-
fortinet.firewall.src_int
-
Source interface
type: keyword
-
fortinet.firewall.srcintfrole
-
Source interface role
type: keyword
-
fortinet.firewall.srccountry
-
Source country
type: keyword
-
fortinet.firewall.srcfamily
-
Source family
type: keyword
-
fortinet.firewall.srchwvendor
-
Source hardware vendor
type: keyword
-
fortinet.firewall.srchwversion
-
Source hardware version
type: keyword
-
fortinet.firewall.srcinetsvc
-
Source interface service
type: keyword
-
fortinet.firewall.srcname
-
Source name
type: keyword
-
fortinet.firewall.srcserver
-
Source server
type: integer
-
fortinet.firewall.srcssid
-
Source SSID
type: keyword
-
fortinet.firewall.srcswversion
-
Source software version
type: keyword
-
fortinet.firewall.srcuuid
-
Source UUID
type: keyword
-
fortinet.firewall.sscname
-
SSC name
type: keyword
-
fortinet.firewall.ssid
-
Base Service Set ID
type: keyword
-
fortinet.firewall.sslaction
-
SSL Action
type: keyword
-
fortinet.firewall.ssllocal
-
WAD SSL local
type: keyword
-
fortinet.firewall.sslremote
-
WAD SSL remote
type: keyword
-
fortinet.firewall.stacount
-
Number of stations/clients
type: integer
-
fortinet.firewall.stage
-
IPSEC stage
type: keyword
-
fortinet.firewall.stamac
-
802.1x station mac
type: keyword
-
fortinet.firewall.state
-
Admin login state
type: keyword
-
fortinet.firewall.status
-
Status
type: keyword
-
fortinet.firewall.stitch
-
Automation stitch triggered
type: keyword
-
fortinet.firewall.subject
-
Email subject
type: keyword
-
fortinet.firewall.submodule
-
Configuration Sub-Module Name
type: keyword
-
fortinet.firewall.subservice
-
AV subservice
type: keyword
-
fortinet.firewall.subtype
-
Log subtype
type: keyword
-
fortinet.firewall.suspicious
-
Number of Suspicious MMSs
type: integer
-
fortinet.firewall.switchproto
-
Protocol change information
type: keyword
-
fortinet.firewall.sync_status
-
The sync status with the master
type: keyword
-
fortinet.firewall.sync_type
-
The sync type with the master
type: keyword
-
fortinet.firewall.sysuptime
-
System uptime
type: keyword
-
fortinet.firewall.tamac
-
the MAC address of Transmitter, if none, then Receiver
type: keyword
-
fortinet.firewall.threattype
-
WIDS threat type
type: keyword
-
fortinet.firewall.time
-
Time of the event
type: keyword
-
fortinet.firewall.to
-
Email to field
type: keyword
-
fortinet.firewall.to_vcluster
-
destination virtual cluster number
type: integer
-
fortinet.firewall.total
-
Total memory
type: integer
-
fortinet.firewall.totalsession
-
Total Number of Sessions
type: integer
-
fortinet.firewall.trace_id
-
Session clash trace ID
type: keyword
-
fortinet.firewall.trandisp
-
NAT translation type
type: keyword
-
fortinet.firewall.transid
-
HTTP transaction ID
type: integer
-
fortinet.firewall.translationid
-
DNS filter transaltion ID
type: keyword
-
fortinet.firewall.trigger
-
Automation stitch trigger
type: keyword
-
fortinet.firewall.trueclntip
-
File filter true client IP
type: ip
-
fortinet.firewall.tunnelid
-
IPSEC tunnel ID
type: integer
-
fortinet.firewall.tunnelip
-
IPSEC tunnel IP
type: ip
-
fortinet.firewall.tunneltype
-
IPSEC tunnel type
type: keyword
-
fortinet.firewall.type
-
Module type
type: keyword
-
fortinet.firewall.ui
-
Admin authentication UI type
type: keyword
-
fortinet.firewall.unauthusersource
-
Unauthenticated user source
type: keyword
-
fortinet.firewall.unit
-
Power supply unit
type: integer
-
fortinet.firewall.urlfilteridx
-
URL filter ID
type: integer
-
fortinet.firewall.urlfilterlist
-
URL filter list
type: keyword
-
fortinet.firewall.urlsource
-
URL filter source
type: keyword
-
fortinet.firewall.urltype
-
URL filter type
type: keyword
-
fortinet.firewall.used
-
Number of Used IPs
type: integer
-
fortinet.firewall.used_for_type
-
Connection for the type
type: integer
-
fortinet.firewall.utmaction
-
Security action performed by UTM
type: keyword
-
fortinet.firewall.utmref
-
Reference to UTM
type: keyword
-
fortinet.firewall.vap
-
Virtual AP
type: keyword
-
fortinet.firewall.vapmode
-
Virtual AP mode
type: keyword
-
fortinet.firewall.vcluster
-
virtual cluster id
type: integer
-
fortinet.firewall.vcluster_member
-
Virtual cluster member
type: integer
-
fortinet.firewall.vcluster_state
-
Virtual cluster state
type: keyword
-
fortinet.firewall.vd
-
Virtual Domain Name
type: keyword
-
fortinet.firewall.vdname
-
Virtual Domain Name
type: keyword
-
fortinet.firewall.vendorurl
-
Vulnerability scan vendor name
type: keyword
-
fortinet.firewall.version
-
Version
type: keyword
-
fortinet.firewall.vip
-
Virtual IP
type: keyword
-
fortinet.firewall.virus
-
Virus name
type: keyword
-
fortinet.firewall.virusid
-
Virus ID (unique virus identifier)
type: integer
-
fortinet.firewall.voip_proto
-
VOIP protocol
type: keyword
-
fortinet.firewall.vpn
-
VPN description
type: keyword
-
fortinet.firewall.vpntunnel
-
IPsec Vpn Tunnel Name
type: keyword
-
fortinet.firewall.vpntype
-
The type of the VPN tunnel
type: keyword
-
fortinet.firewall.vrf
-
VRF number
type: integer
-
fortinet.firewall.vulncat
-
Vulnerability Category
type: keyword
-
fortinet.firewall.vulnid
-
Vulnerability ID
type: integer
-
fortinet.firewall.vulnname
-
Vulnerability name
type: keyword
-
fortinet.firewall.vwlid
-
VWL ID
type: integer
-
fortinet.firewall.vwlquality
-
VWL quality
type: keyword
-
fortinet.firewall.vwlservice
-
VWL service
type: keyword
-
fortinet.firewall.vwpvlanid
-
VWP VLAN ID
type: integer
-
fortinet.firewall.wanin
-
WAN incoming traffic in bytes
type: long
-
fortinet.firewall.wanoptapptype
-
WAN Optimization Application type
type: keyword
-
fortinet.firewall.wanout
-
WAN outgoing traffic in bytes
type: long
-
fortinet.firewall.weakwepiv
-
Weak Wep Initiation Vector
type: keyword
-
fortinet.firewall.xauthgroup
-
XAuth Group Name
type: keyword
-
fortinet.firewall.xauthuser
-
XAuth User Name
type: keyword
-
fortinet.firewall.xid
-
Wireless X ID
type: integer