Fortinet fields

fortinet Module

network.interface.name

Name of the network interface where the traffic has been observed.

type: keyword

rsa.internal.msg

This key is used to capture the raw message that comes into the Log Decoder

type: keyword

rsa.internal.messageid

type: keyword

rsa.internal.event_desc

type: keyword

rsa.internal.message

This key captures the contents of instant messages

type: keyword

rsa.internal.time

This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.

type: date

rsa.internal.level

Deprecated key defined only in table map.

type: long

rsa.internal.msg_id

This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.msg_vid

This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.data

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_server

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_val

Deprecated key defined only in table map.

type: keyword

rsa.internal.resource

Deprecated key defined only in table map.

type: keyword

rsa.internal.obj_id

Deprecated key defined only in table map.

type: keyword

rsa.internal.statement

Deprecated key defined only in table map.

type: keyword

rsa.internal.audit_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.entry

Deprecated key defined only in table map.

type: keyword

rsa.internal.hcode

Deprecated key defined only in table map.

type: keyword

rsa.internal.inode

Deprecated key defined only in table map.

type: long

rsa.internal.resource_class

Deprecated key defined only in table map.

type: keyword

rsa.internal.dead

Deprecated key defined only in table map.

type: long

rsa.internal.feed_desc

This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.feed_name

This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.cid

This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_class

This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_group

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_host

This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_ip

This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_ipv6

This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.device_type

This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.device_type_id

Deprecated key defined only in table map.

type: long

rsa.internal.did

This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.entropy_req

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.entropy_res

This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration

type: long

rsa.internal.event_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.feed_category

This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.forward_ip

This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness.

type: ip

rsa.internal.forward_ipv6

This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: ip

rsa.internal.header_id

This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_cid

This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.lc_ctime

This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: date

rsa.internal.mcb_req

This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcb_res

This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most

type: long

rsa.internal.mcbc_req

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.mcbc_res

This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams

type: long

rsa.internal.medium

This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session

type: long

rsa.internal.node_name

Deprecated key defined only in table map.

type: keyword

rsa.internal.nwe_callback_id

This key denotes that event is endpoint related

type: keyword

rsa.internal.parse_error

This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.payload_req

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.payload_res

This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep

type: long

rsa.internal.process_vid_dst

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process.

type: keyword

rsa.internal.process_vid_src

Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process.

type: keyword

rsa.internal.rid

This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.session_split

This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.site

Deprecated key defined only in table map.

type: keyword

rsa.internal.size

This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: long

rsa.internal.sourcefile

This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.internal.ubc_req

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.ubc_res

This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once

type: long

rsa.internal.word

This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log

type: keyword

rsa.time.event_time

This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form

type: date

rsa.time.duration_time

This key is used to capture the normalized duration/lifetime in seconds.

type: double

rsa.time.event_time_str

This key is used to capture the incomplete time mentioned in a session as a string

type: keyword

rsa.time.starttime

This key is used to capture the Start time mentioned in a session in a standard form

type: date

rsa.time.month

type: keyword

rsa.time.day

type: keyword

rsa.time.endtime

This key is used to capture the End time mentioned in a session in a standard form

type: date

rsa.time.timezone

This key is used to capture the timezone of the Event Time

type: keyword

rsa.time.duration_str

A text string version of the duration

type: keyword

rsa.time.date

type: keyword

rsa.time.year

type: keyword

rsa.time.recorded_time

The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it’s own timestamp at the time of collection from its child nodes. Must be in timestamp format.

type: date

rsa.time.datetime

type: keyword

rsa.time.effective_time

This key is the effective time referenced by an individual event in a Standard Timestamp format

type: date

rsa.time.expire_time

This key is the timestamp that explicitly refers to an expiration.

type: date

rsa.time.process_time

Deprecated, use duration.time

type: keyword

rsa.time.hour

type: keyword

rsa.time.min

type: keyword

rsa.time.timestamp

type: keyword

rsa.time.event_queue_time

This key is the Time that the event was queued.

type: date

rsa.time.p_time1

type: keyword

rsa.time.tzone

type: keyword

rsa.time.eventtime

type: keyword

rsa.time.gmtdate

type: keyword

rsa.time.gmttime

type: keyword

rsa.time.p_date

type: keyword

rsa.time.p_month

type: keyword

rsa.time.p_time

type: keyword

rsa.time.p_time2

type: keyword

rsa.time.p_year

type: keyword

rsa.time.expire_time_str

This key is used to capture incomplete timestamp that explicitly refers to an expiration.

type: keyword

rsa.time.stamp

Deprecated key defined only in table map.

type: date

rsa.misc.action

type: keyword

rsa.misc.result

This key is used to capture the outcome/result string value of an action in a session.

type: keyword

rsa.misc.severity

This key is used to capture the severity given the session

type: keyword

rsa.misc.event_type

This key captures the event category type as specified by the event source.

type: keyword

rsa.misc.reference_id

This key is used to capture an event id from the session directly

type: keyword

rsa.misc.version

This key captures Version of the application or OS which is generating the event.

type: keyword

rsa.misc.disposition

This key captures the The end state of an action.

type: keyword

rsa.misc.result_code

This key is used to capture the outcome/result numeric value of an action in a session

type: keyword

rsa.misc.category

This key is used to capture the category of an event given by the vendor in the session

type: keyword

rsa.misc.obj_name

This is used to capture name of object

type: keyword

rsa.misc.obj_type

This is used to capture type of object

type: keyword

rsa.misc.event_source

This key captures Source of the event that’s not a hostname

type: keyword

rsa.misc.log_session_id

This key is used to capture a sessionid from the session directly

type: keyword

rsa.misc.group

This key captures the Group Name value

type: keyword

rsa.misc.policy_name

This key is used to capture the Policy Name only.

type: keyword

rsa.misc.rule_name

This key captures the Rule Name

type: keyword

rsa.misc.context

This key captures Information which adds additional context to the event.

type: keyword

rsa.misc.change_new

This key is used to capture the new values of the attribute that’s changing in a session

type: keyword

rsa.misc.space

type: keyword

rsa.misc.client

This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string.

type: keyword

rsa.misc.msgIdPart1

type: keyword

rsa.misc.msgIdPart2

type: keyword

rsa.misc.change_old

This key is used to capture the old value of the attribute that’s changing in a session

type: keyword

rsa.misc.operation_id

An alert number or operation number. The values should be unique and non-repeating.

type: keyword

rsa.misc.event_state

This key captures the current state of the object/item referenced within the event. Describing an on-going event.

type: keyword

rsa.misc.group_object

This key captures a collection/grouping of entities. Specific usage

type: keyword

rsa.misc.node

Common use case is the node name within a cluster. The cluster name is reflected by the host name.

type: keyword

rsa.misc.rule

This key captures the Rule number

type: keyword

rsa.misc.device_name

This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc

type: keyword

rsa.misc.param

This key is the parameters passed as part of a command or application, etc.

type: keyword

rsa.misc.change_attrib

This key is used to capture the name of the attribute that’s changing in a session

type: keyword

rsa.misc.event_computer

This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.

type: keyword

rsa.misc.reference_id1

This key is for Linked ID to be used as an addition to "reference.id"

type: keyword

rsa.misc.event_log

This key captures the Name of the event log

type: keyword

rsa.misc.OS

This key captures the Name of the Operating System

type: keyword

rsa.misc.terminal

This key captures the Terminal Names only

type: keyword

rsa.misc.msgIdPart3

type: keyword

rsa.misc.filter

This key captures Filter used to reduce result set

type: keyword

rsa.misc.serial_number

This key is the Serial number associated with a physical asset.

type: keyword

rsa.misc.checksum

This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action.

type: keyword

rsa.misc.event_user

This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.

type: keyword

rsa.misc.virusname

This key captures the name of the virus

type: keyword

rsa.misc.content_type

This key is used to capture Content Type only.

type: keyword

rsa.misc.group_id

This key captures Group ID Number (related to the group name)

type: keyword

rsa.misc.policy_id

This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise

type: keyword

rsa.misc.vsys

This key captures Virtual System Name

type: keyword

rsa.misc.connection_id

This key captures the Connection ID

type: keyword

rsa.misc.reference_id2

This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.

type: keyword

rsa.misc.sensor

This key captures Name of the sensor. Typically used in IDS/IPS based devices

type: keyword

rsa.misc.sig_id

This key captures IDS/IPS Int Signature ID

type: long

rsa.misc.port_name

This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).

type: keyword

rsa.misc.rule_group

This key captures the Rule group name

type: keyword

rsa.misc.risk_num

This key captures a Numeric Risk value

type: double

rsa.misc.trigger_val

This key captures the Value of the trigger or threshold condition.

type: keyword

rsa.misc.log_session_id1

This key is used to capture a Linked (Related) Session ID from the session directly

type: keyword

rsa.misc.comp_version

This key captures the Version level of a sub-component of a product.

type: keyword

rsa.misc.content_version

This key captures Version level of a signature or database content.

type: keyword

rsa.misc.hardware_id

This key is used to capture unique identifier for a device or system (NOT a Mac address)

type: keyword

rsa.misc.risk

This key captures the non-numeric risk value

type: keyword

rsa.misc.event_id

type: keyword

rsa.misc.reason

type: keyword

rsa.misc.status

type: keyword

rsa.misc.mail_id

This key is used to capture the mailbox id/name

type: keyword

rsa.misc.rule_uid

This key is the Unique Identifier for a rule.

type: keyword

rsa.misc.trigger_desc

This key captures the Description of the trigger or threshold condition.

type: keyword

rsa.misc.inout

type: keyword

rsa.misc.p_msgid

type: keyword

rsa.misc.data_type

type: keyword

rsa.misc.msgIdPart4

type: keyword

rsa.misc.error

This key captures All non successful Error codes or responses

type: keyword

rsa.misc.index

type: keyword

rsa.misc.listnum

This key is used to capture listname or listnumber, primarily for collecting access-list

type: keyword

rsa.misc.ntype

type: keyword

rsa.misc.observed_val

This key captures the Value observed (from the perspective of the device generating the log).

type: keyword

rsa.misc.policy_value

This key captures the contents of the policy. This contains details about the policy

type: keyword

rsa.misc.pool_name

This key captures the name of a resource pool

type: keyword

rsa.misc.rule_template

A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template

type: keyword

rsa.misc.count

type: keyword

rsa.misc.number

type: keyword

rsa.misc.sigcat

type: keyword

rsa.misc.type

type: keyword

rsa.misc.comments

Comment information provided in the log message

type: keyword

rsa.misc.doc_number

This key captures File Identification number

type: long

rsa.misc.expected_val

This key captures the Value expected (from the perspective of the device generating the log).

type: keyword

rsa.misc.job_num

This key captures the Job Number

type: keyword

rsa.misc.spi_dst

Destination SPI Index

type: keyword

rsa.misc.spi_src

Source SPI Index

type: keyword

rsa.misc.code

type: keyword

rsa.misc.agent_id

This key is used to capture agent id

type: keyword

rsa.misc.message_body

This key captures the The contents of the message body.

type: keyword

rsa.misc.phone

type: keyword

rsa.misc.sig_id_str

This key captures a string object of the sigid variable.

type: keyword

rsa.misc.cmd

type: keyword

rsa.misc.misc

type: keyword

rsa.misc.name

type: keyword

rsa.misc.cpu

This key is the CPU time used in the execution of the event being recorded.

type: long

rsa.misc.event_desc

This key is used to capture a description of an event available directly or inferred

type: keyword

rsa.misc.sig_id1

This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id

type: long

rsa.misc.im_buddyid

type: keyword

rsa.misc.im_client

type: keyword

rsa.misc.im_userid

type: keyword

rsa.misc.pid

type: keyword

rsa.misc.priority

type: keyword

rsa.misc.context_subject

This key is to be used in an audit context where the subject is the object being identified

type: keyword

rsa.misc.context_target

type: keyword

rsa.misc.cve

This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.

type: keyword

rsa.misc.fcatnum

This key captures Filter Category Number. Legacy Usage

type: keyword

rsa.misc.library

This key is used to capture library information in mainframe devices

type: keyword

rsa.misc.parent_node

This key captures the Parent Node Name. Must be related to node variable.

type: keyword

rsa.misc.risk_info

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.tcp_flags

This key is captures the TCP flags set in any packet of session

type: long

rsa.misc.tos

This key describes the type of service

type: long

rsa.misc.vm_target

VMWare Target VMWARE only varaible.

type: keyword

rsa.misc.workspace

This key captures Workspace Description

type: keyword

rsa.misc.command

type: keyword

rsa.misc.event_category

type: keyword

rsa.misc.facilityname

type: keyword

rsa.misc.forensic_info

type: keyword

rsa.misc.jobname

type: keyword

rsa.misc.mode

type: keyword

rsa.misc.policy

type: keyword

rsa.misc.policy_waiver

type: keyword

rsa.misc.second

type: keyword

rsa.misc.space1

type: keyword

rsa.misc.subcategory

type: keyword

rsa.misc.tbdstr2

type: keyword

rsa.misc.alert_id

Deprecated, New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.checksum_dst

This key is used to capture the checksum or hash of the the target entity such as a process or file.

type: keyword

rsa.misc.checksum_src

This key is used to capture the checksum or hash of the source entity such as a file or process.

type: keyword

rsa.misc.fresult

This key captures the Filter Result

type: long

rsa.misc.payload_dst

This key is used to capture destination payload

type: keyword

rsa.misc.payload_src

This key is used to capture source payload

type: keyword

rsa.misc.pool_id

This key captures the identifier (typically numeric field) of a resource pool

type: keyword

rsa.misc.process_id_val

This key is a failure key for Process ID when it is not an integer value

type: keyword

rsa.misc.risk_num_comm

This key captures Risk Number Community

type: double

rsa.misc.risk_num_next

This key captures Risk Number NextGen

type: double

rsa.misc.risk_num_sand

This key captures Risk Number SandBox

type: double

rsa.misc.risk_num_static

This key captures Risk Number Static

type: double

rsa.misc.risk_suspicious

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.risk_warning

Deprecated, use New Hunting Model (inv., ioc, boc, eoc, analysis.)

type: keyword

rsa.misc.snmp_oid

SNMP Object Identifier

type: keyword

rsa.misc.sql

This key captures the SQL query

type: keyword

rsa.misc.vuln_ref

This key captures the Vulnerability Reference details

type: keyword

rsa.misc.acl_id

type: keyword

rsa.misc.acl_op

type: keyword

rsa.misc.acl_pos

type: keyword

rsa.misc.acl_table

type: keyword

rsa.misc.admin

type: keyword

rsa.misc.alarm_id

type: keyword

rsa.misc.alarmname

type: keyword

rsa.misc.app_id

type: keyword

rsa.misc.audit

type: keyword

rsa.misc.audit_object

type: keyword

rsa.misc.auditdata

type: keyword

rsa.misc.benchmark

type: keyword

rsa.misc.bypass

type: keyword

rsa.misc.cache

type: keyword

rsa.misc.cache_hit

type: keyword

rsa.misc.cefversion

type: keyword

rsa.misc.cfg_attr

type: keyword

rsa.misc.cfg_obj

type: keyword

rsa.misc.cfg_path

type: keyword

rsa.misc.changes

type: keyword

rsa.misc.client_ip

type: keyword

rsa.misc.clustermembers

type: keyword

rsa.misc.cn_acttimeout

type: keyword

rsa.misc.cn_asn_src

type: keyword

rsa.misc.cn_bgpv4nxthop

type: keyword

rsa.misc.cn_ctr_dst_code

type: keyword

rsa.misc.cn_dst_tos

type: keyword

rsa.misc.cn_dst_vlan

type: keyword

rsa.misc.cn_engine_id

type: keyword

rsa.misc.cn_engine_type

type: keyword

rsa.misc.cn_f_switch

type: keyword

rsa.misc.cn_flowsampid

type: keyword

rsa.misc.cn_flowsampintv

type: keyword

rsa.misc.cn_flowsampmode

type: keyword

rsa.misc.cn_inacttimeout

type: keyword

rsa.misc.cn_inpermbyts

type: keyword

rsa.misc.cn_inpermpckts

type: keyword

rsa.misc.cn_invalid

type: keyword

rsa.misc.cn_ip_proto_ver

type: keyword

rsa.misc.cn_ipv4_ident

type: keyword

rsa.misc.cn_l_switch

type: keyword

rsa.misc.cn_log_did

type: keyword

rsa.misc.cn_log_rid

type: keyword

rsa.misc.cn_max_ttl

type: keyword

rsa.misc.cn_maxpcktlen

type: keyword

rsa.misc.cn_min_ttl

type: keyword

rsa.misc.cn_minpcktlen

type: keyword

rsa.misc.cn_mpls_lbl_1

type: keyword

rsa.misc.cn_mpls_lbl_10

type: keyword

rsa.misc.cn_mpls_lbl_2

type: keyword

rsa.misc.cn_mpls_lbl_3

type: keyword

rsa.misc.cn_mpls_lbl_4

type: keyword

rsa.misc.cn_mpls_lbl_5

type: keyword

rsa.misc.cn_mpls_lbl_6

type: keyword

rsa.misc.cn_mpls_lbl_7

type: keyword

rsa.misc.cn_mpls_lbl_8

type: keyword

rsa.misc.cn_mpls_lbl_9

type: keyword

rsa.misc.cn_mplstoplabel

type: keyword

rsa.misc.cn_mplstoplabip

type: keyword

rsa.misc.cn_mul_dst_byt

type: keyword

rsa.misc.cn_mul_dst_pks

type: keyword

rsa.misc.cn_muligmptype

type: keyword

rsa.misc.cn_sampalgo

type: keyword

rsa.misc.cn_sampint

type: keyword

rsa.misc.cn_seqctr

type: keyword

rsa.misc.cn_spackets

type: keyword

rsa.misc.cn_src_tos

type: keyword

rsa.misc.cn_src_vlan

type: keyword

rsa.misc.cn_sysuptime

type: keyword

rsa.misc.cn_template_id

type: keyword

rsa.misc.cn_totbytsexp

type: keyword

rsa.misc.cn_totflowexp

type: keyword

rsa.misc.cn_totpcktsexp

type: keyword

rsa.misc.cn_unixnanosecs

type: keyword

rsa.misc.cn_v6flowlabel

type: keyword

rsa.misc.cn_v6optheaders

type: keyword

rsa.misc.comp_class

type: keyword

rsa.misc.comp_name

type: keyword

rsa.misc.comp_rbytes

type: keyword

rsa.misc.comp_sbytes

type: keyword

rsa.misc.cpu_data

type: keyword

rsa.misc.criticality

type: keyword

rsa.misc.cs_agency_dst

type: keyword

rsa.misc.cs_analyzedby

type: keyword

rsa.misc.cs_av_other

type: keyword

rsa.misc.cs_av_primary

type: keyword

rsa.misc.cs_av_secondary

type: keyword

rsa.misc.cs_bgpv6nxthop

type: keyword

rsa.misc.cs_bit9status

type: keyword

rsa.misc.cs_context

type: keyword

rsa.misc.cs_control

type: keyword

rsa.misc.cs_data

type: keyword

rsa.misc.cs_datecret

type: keyword

rsa.misc.cs_dst_tld

type: keyword

rsa.misc.cs_eth_dst_ven

type: keyword

rsa.misc.cs_eth_src_ven

type: keyword

rsa.misc.cs_event_uuid

type: keyword

rsa.misc.cs_filetype

type: keyword

rsa.misc.cs_fld

type: keyword

rsa.misc.cs_if_desc

type: keyword

rsa.misc.cs_if_name

type: keyword

rsa.misc.cs_ip_next_hop

type: keyword

rsa.misc.cs_ipv4dstpre

type: keyword

rsa.misc.cs_ipv4srcpre

type: keyword

rsa.misc.cs_lifetime

type: keyword

rsa.misc.cs_log_medium

type: keyword

rsa.misc.cs_loginname

type: keyword

rsa.misc.cs_modulescore

type: keyword

rsa.misc.cs_modulesign

type: keyword

rsa.misc.cs_opswatresult

type: keyword

rsa.misc.cs_payload

type: keyword

rsa.misc.cs_registrant

type: keyword

rsa.misc.cs_registrar

type: keyword

rsa.misc.cs_represult

type: keyword

rsa.misc.cs_rpayload

type: keyword

rsa.misc.cs_sampler_name

type: keyword

rsa.misc.cs_sourcemodule

type: keyword

rsa.misc.cs_streams

type: keyword

rsa.misc.cs_targetmodule

type: keyword

rsa.misc.cs_v6nxthop

type: keyword

rsa.misc.cs_whois_server

type: keyword

rsa.misc.cs_yararesult

type: keyword

rsa.misc.description

type: keyword

rsa.misc.devvendor

type: keyword

rsa.misc.distance

type: keyword

rsa.misc.dstburb

type: keyword

rsa.misc.edomain

type: keyword

rsa.misc.edomaub

type: keyword

rsa.misc.euid

type: keyword

rsa.misc.facility

type: keyword

rsa.misc.finterface

type: keyword

rsa.misc.flags

type: keyword

rsa.misc.gaddr

type: keyword

rsa.misc.id3

type: keyword

rsa.misc.im_buddyname

type: keyword

rsa.misc.im_croomid

type: keyword

rsa.misc.im_croomtype

type: keyword

rsa.misc.im_members

type: keyword

rsa.misc.im_username

type: keyword

rsa.misc.ipkt

type: keyword

rsa.misc.ipscat

type: keyword

rsa.misc.ipspri

type: keyword

rsa.misc.latitude

type: keyword

rsa.misc.linenum

type: keyword

rsa.misc.list_name

type: keyword

rsa.misc.load_data

type: keyword

rsa.misc.location_floor

type: keyword

rsa.misc.location_mark

type: keyword

rsa.misc.log_id

type: keyword

rsa.misc.log_type

type: keyword

rsa.misc.logid

type: keyword

rsa.misc.logip

type: keyword

rsa.misc.logname

type: keyword

rsa.misc.longitude

type: keyword

rsa.misc.lport

type: keyword

rsa.misc.mbug_data

type: keyword

rsa.misc.misc_name

type: keyword

rsa.misc.msg_type

type: keyword

rsa.misc.msgid

type: keyword

rsa.misc.netsessid

type: keyword

rsa.misc.num

type: keyword

rsa.misc.number1

type: keyword

rsa.misc.number2

type: keyword

rsa.misc.nwwn

type: keyword

rsa.misc.object

type: keyword

rsa.misc.operation

type: keyword

rsa.misc.opkt

type: keyword

rsa.misc.orig_from

type: keyword

rsa.misc.owner_id

type: keyword

rsa.misc.p_action

type: keyword

rsa.misc.p_filter

type: keyword

rsa.misc.p_group_object

type: keyword

rsa.misc.p_id

type: keyword

rsa.misc.p_msgid1

type: keyword

rsa.misc.p_msgid2

type: keyword

rsa.misc.p_result1

type: keyword

rsa.misc.password_chg

type: keyword

rsa.misc.password_expire

type: keyword

rsa.misc.permgranted

type: keyword

rsa.misc.permwanted

type: keyword

rsa.misc.pgid

type: keyword

rsa.misc.policyUUID

type: keyword

rsa.misc.prog_asp_num

type: keyword

rsa.misc.program

type: keyword

rsa.misc.real_data

type: keyword

rsa.misc.rec_asp_device

type: keyword

rsa.misc.rec_asp_num

type: keyword

rsa.misc.rec_library

type: keyword

rsa.misc.recordnum

type: keyword

rsa.misc.ruid

type: keyword

rsa.misc.sburb

type: keyword

rsa.misc.sdomain_fld

type: keyword

rsa.misc.sec

type: keyword

rsa.misc.sensorname

type: keyword

rsa.misc.seqnum

type: keyword

rsa.misc.session

type: keyword

rsa.misc.sessiontype

type: keyword

rsa.misc.sigUUID

type: keyword

rsa.misc.spi

type: keyword

rsa.misc.srcburb

type: keyword

rsa.misc.srcdom

type: keyword

rsa.misc.srcservice

type: keyword

rsa.misc.state

type: keyword

rsa.misc.status1

type: keyword

rsa.misc.svcno

type: keyword

rsa.misc.system

type: keyword

rsa.misc.tbdstr1

type: keyword

rsa.misc.tgtdom

type: keyword

rsa.misc.tgtdomain

type: keyword

rsa.misc.threshold

type: keyword

rsa.misc.type1

type: keyword

rsa.misc.udb_class

type: keyword

rsa.misc.url_fld

type: keyword

rsa.misc.user_div

type: keyword

rsa.misc.userid

type: keyword

rsa.misc.username_fld

type: keyword

rsa.misc.utcstamp

type: keyword

rsa.misc.v_instafname

type: keyword

rsa.misc.virt_data

type: keyword

rsa.misc.vpnid

type: keyword

rsa.misc.autorun_type

This is used to capture Auto Run type

type: keyword

rsa.misc.cc_number

Valid Credit Card Numbers only

type: long

rsa.misc.content

This key captures the content type from protocol headers

type: keyword

rsa.misc.ein_number

Employee Identification Numbers only

type: long

rsa.misc.found

This is used to capture the results of regex match

type: keyword

rsa.misc.language

This is used to capture list of languages the client support and what it prefers

type: keyword

rsa.misc.lifetime

This key is used to capture the session lifetime in seconds.

type: long

rsa.misc.link

This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness

type: keyword

rsa.misc.match

This key is for regex match name from search.ini

type: keyword

rsa.misc.param_dst

This key captures the command line/launch argument of the target process or file

type: keyword

rsa.misc.param_src

This key captures source parameter

type: keyword

rsa.misc.search_text

This key captures the Search Text used

type: keyword

rsa.misc.sig_name

This key is used to capture the Signature Name only.

type: keyword

rsa.misc.snmp_value

SNMP set request value

type: keyword

rsa.misc.streams

This key captures number of streams in session

type: long

rsa.db.index

This key captures IndexID of the index.

type: keyword

rsa.db.instance

This key is used to capture the database server instance name

type: keyword

rsa.db.database

This key is used to capture the name of a database or an instance as seen in a session

type: keyword

rsa.db.transact_id

This key captures the SQL transantion ID of the current session

type: keyword

rsa.db.permissions

This key captures permission or privilege level assigned to a resource.

type: keyword

rsa.db.table_name

This key is used to capture the table name

type: keyword

rsa.db.db_id

This key is used to capture the unique identifier for a database

type: keyword

rsa.db.db_pid

This key captures the process id of a connection with database server

type: long

rsa.db.lread

This key is used for the number of logical reads

type: long

rsa.db.lwrite

This key is used for the number of logical writes

type: long

rsa.db.pread

This key is used for the number of physical writes

type: long

rsa.network.alias_host

This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.

type: keyword

rsa.network.domain

type: keyword

rsa.network.host_dst

This key should only be used when it’s a Destination Hostname

type: keyword

rsa.network.network_service

This is used to capture layer 7 protocols/service names

type: keyword

rsa.network.interface

This key should be used when the source or destination context of an interface is not clear

type: keyword

rsa.network.network_port

Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)

type: long

rsa.network.eth_host

Deprecated, use alias.mac

type: keyword

rsa.network.sinterface

This key should only be used when it’s a Source Interface

type: keyword

rsa.network.dinterface

This key should only be used when it’s a Destination Interface

type: keyword

rsa.network.vlan

This key should only be used to capture the ID of the Virtual LAN

type: long

rsa.network.zone_src

This key should only be used when it’s a Source Zone.

type: keyword

rsa.network.zone

This key should be used when the source or destination context of a Zone is not clear

type: keyword

rsa.network.zone_dst

This key should only be used when it’s a Destination Zone.

type: keyword

rsa.network.gateway

This key is used to capture the IP Address of the gateway

type: keyword

rsa.network.icmp_type

This key is used to capture the ICMP type only

type: long

rsa.network.mask

This key is used to capture the device network IPmask.

type: keyword

rsa.network.icmp_code

This key is used to capture the ICMP code only

type: long

rsa.network.protocol_detail

This key should be used to capture additional protocol information

type: keyword

rsa.network.dmask

This key is used for Destionation Device network mask

type: keyword

rsa.network.port

This key should only be used to capture a Network Port when the directionality is not clear

type: long

rsa.network.smask

This key is used for capturing source Network Mask

type: keyword

rsa.network.netname

This key is used to capture the network name associated with an IP range. This is configured by the end user.

type: keyword

rsa.network.paddr

Deprecated

type: ip

rsa.network.faddr

type: keyword

rsa.network.lhost

type: keyword

rsa.network.origin

type: keyword

rsa.network.remote_domain_id

type: keyword

rsa.network.addr

type: keyword

rsa.network.dns_a_record

type: keyword

rsa.network.dns_ptr_record

type: keyword

rsa.network.fhost

type: keyword

rsa.network.fport

type: keyword

rsa.network.laddr

type: keyword

rsa.network.linterface

type: keyword

rsa.network.phost

type: keyword

rsa.network.ad_computer_dst

Deprecated, use host.dst

type: keyword

rsa.network.eth_type

This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only

type: long

rsa.network.ip_proto

This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI

type: long

rsa.network.dns_cname_record

type: keyword

rsa.network.dns_id

type: keyword

rsa.network.dns_opcode

type: keyword

rsa.network.dns_resp

type: keyword

rsa.network.dns_type

type: keyword

rsa.network.domain1

type: keyword

rsa.network.host_type

type: keyword

rsa.network.packet_length

type: keyword

rsa.network.host_orig

This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between.

type: keyword

rsa.network.rpayload

This key is used to capture the total number of payload bytes seen in the retransmitted packets.

type: keyword

rsa.network.vlan_name

This key should only be used to capture the name of the Virtual LAN

type: keyword

rsa.investigations.ec_activity

This key captures the particular event activity(Ex:Logoff)

type: keyword

rsa.investigations.ec_theme

This key captures the Theme of a particular Event(Ex:Authentication)

type: keyword

rsa.investigations.ec_subject

This key captures the Subject of a particular Event(Ex:User)

type: keyword

rsa.investigations.ec_outcome

This key captures the outcome of a particular Event(Ex:Success)

type: keyword

rsa.investigations.event_cat

This key captures the Event category number

type: long

rsa.investigations.event_cat_name

This key captures the event category name corresponding to the event cat code

type: keyword

rsa.investigations.event_vcat

This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy.

type: keyword

rsa.investigations.analysis_file

This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file

type: keyword

rsa.investigations.analysis_service

This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service

type: keyword

rsa.investigations.analysis_session

This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session

type: keyword

rsa.investigations.boc

This is used to capture behaviour of compromise

type: keyword

rsa.investigations.eoc

This is used to capture Enablers of Compromise

type: keyword

rsa.investigations.inv_category

This used to capture investigation category

type: keyword

rsa.investigations.inv_context

This used to capture investigation context

type: keyword

rsa.investigations.ioc

This is key capture indicator of compromise

type: keyword

rsa.counters.dclass_c1

This is a generic counter key that should be used with the label dclass.c1.str only

type: long

rsa.counters.dclass_c2

This is a generic counter key that should be used with the label dclass.c2.str only

type: long

rsa.counters.event_counter

This is used to capture the number of times an event repeated

type: long

rsa.counters.dclass_r1

This is a generic ratio key that should be used with the label dclass.r1.str only

type: keyword

rsa.counters.dclass_c3

This is a generic counter key that should be used with the label dclass.c3.str only

type: long

rsa.counters.dclass_c1_str

This is a generic counter string key that should be used with the label dclass.c1 only

type: keyword

rsa.counters.dclass_c2_str

This is a generic counter string key that should be used with the label dclass.c2 only

type: keyword

rsa.counters.dclass_r1_str

This is a generic ratio string key that should be used with the label dclass.r1 only

type: keyword

rsa.counters.dclass_r2

This is a generic ratio key that should be used with the label dclass.r2.str only

type: keyword

rsa.counters.dclass_c3_str

This is a generic counter string key that should be used with the label dclass.c3 only

type: keyword

rsa.counters.dclass_r3

This is a generic ratio key that should be used with the label dclass.r3.str only

type: keyword

rsa.counters.dclass_r2_str

This is a generic ratio string key that should be used with the label dclass.r2 only

type: keyword

rsa.counters.dclass_r3_str

This is a generic ratio string key that should be used with the label dclass.r3 only

type: keyword

rsa.identity.auth_method

This key is used to capture authentication methods used only

type: keyword

rsa.identity.user_role

This key is used to capture the Role of a user only

type: keyword

rsa.identity.dn

X.500 (LDAP) Distinguished Name

type: keyword

rsa.identity.logon_type

This key is used to capture the type of logon method used.

type: keyword

rsa.identity.profile

This key is used to capture the user profile

type: keyword

rsa.identity.accesses

This key is used to capture actual privileges used in accessing an object

type: keyword

rsa.identity.realm

Radius realm or similar grouping of accounts

type: keyword

rsa.identity.user_sid_dst

This key captures Destination User Session ID

type: keyword

rsa.identity.dn_src

An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn

type: keyword

rsa.identity.org

This key captures the User organization

type: keyword

rsa.identity.dn_dst

An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn

type: keyword

rsa.identity.firstname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.lastname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.user_dept

User’s Department Names only

type: keyword

rsa.identity.user_sid_src

This key captures Source User Session ID

type: keyword

rsa.identity.federated_sp

This key is the Federated Service Provider. This is the application requesting authentication.

type: keyword

rsa.identity.federated_idp

This key is the federated Identity Provider. This is the server providing the authentication.

type: keyword

rsa.identity.logon_type_desc

This key is used to capture the textual description of an integer logon type as stored in the meta key logon.type.

type: keyword

rsa.identity.middlename

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.identity.password

This key is for Passwords seen in any session, plain text or encrypted

type: keyword

rsa.identity.host_role

This key should only be used to capture the role of a Host Machine

type: keyword

rsa.identity.ldap

This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context

type: keyword

rsa.identity.ldap_query

This key is the Search criteria from an LDAP search

type: keyword

rsa.identity.ldap_response

This key is to capture Results from an LDAP search

type: keyword

rsa.identity.owner

This is used to capture username the process or service is running as, the author of the task

type: keyword

rsa.identity.service_account

This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage

type: keyword

rsa.email.email_dst

This key is used to capture the Destination email address only, when the destination context is not clear use email

type: keyword

rsa.email.email_src

This key is used to capture the source email address only, when the source context is not clear use email

type: keyword

rsa.email.subject

This key is used to capture the subject string from an Email only.

type: keyword

rsa.email.email

This key is used to capture a generic email address where the source or destination context is not clear

type: keyword

rsa.email.trans_from

Deprecated key defined only in table map.

type: keyword

rsa.email.trans_to

Deprecated key defined only in table map.

type: keyword

rsa.file.privilege

Deprecated, use permissions

type: keyword

rsa.file.attachment

This key captures the attachment file name

type: keyword

rsa.file.filesystem

type: keyword

rsa.file.binary

Deprecated key defined only in table map.

type: keyword

rsa.file.filename_dst

This is used to capture name of the file targeted by the action

type: keyword

rsa.file.filename_src

This is used to capture name of the parent filename, the file which performed the action

type: keyword

rsa.file.filename_tmp

type: keyword

rsa.file.directory_dst

<span>This key is used to capture the directory of the target process or file</span>

type: keyword

rsa.file.directory_src

This key is used to capture the directory of the source process or file

type: keyword

rsa.file.file_entropy

This is used to capture entropy vale of a file

type: double

rsa.file.file_vendor

This is used to capture Company name of file located in version_info

type: keyword

rsa.file.task_name

This is used to capture name of the task

type: keyword

rsa.web.fqdn

Fully Qualified Domain Names

type: keyword

rsa.web.web_cookie

This key is used to capture the Web cookies specifically.

type: keyword

rsa.web.alias_host

type: keyword

rsa.web.reputation_num

Reputation Number of an entity. Typically used for Web Domains

type: double

rsa.web.web_ref_domain

Web referer’s domain

type: keyword

rsa.web.web_ref_query

This key captures Web referer’s query portion of the URL

type: keyword

rsa.web.remote_domain

type: keyword

rsa.web.web_ref_page

This key captures Web referer’s page information

type: keyword

rsa.web.web_ref_root

Web referer’s root URL path

type: keyword

rsa.web.cn_asn_dst

type: keyword

rsa.web.cn_rpackets

type: keyword

rsa.web.urlpage

type: keyword

rsa.web.urlroot

type: keyword

rsa.web.p_url

type: keyword

rsa.web.p_user_agent

type: keyword

rsa.web.p_web_cookie

type: keyword

rsa.web.p_web_method

type: keyword

rsa.web.p_web_referer

type: keyword

rsa.web.web_extension_tmp

type: keyword

rsa.web.web_page

type: keyword

rsa.threat.threat_category

This key captures Threat Name/Threat Category/Categorization of alert

type: keyword

rsa.threat.threat_desc

This key is used to capture the threat description from the session directly or inferred

type: keyword

rsa.threat.alert

This key is used to capture name of the alert

type: keyword

rsa.threat.threat_source

This key is used to capture source of the threat

type: keyword

rsa.crypto.crypto

This key is used to capture the Encryption Type or Encryption Key only

type: keyword

rsa.crypto.cipher_src

This key is for Source (Client) Cipher

type: keyword

rsa.crypto.cert_subject

This key is used to capture the Certificate organization only

type: keyword

rsa.crypto.peer

This key is for Encryption peer’s IP Address

type: keyword

rsa.crypto.cipher_size_src

This key captures Source (Client) Cipher Size

type: long

rsa.crypto.ike

IKE negotiation phase.

type: keyword

rsa.crypto.scheme

This key captures the Encryption scheme used

type: keyword

rsa.crypto.peer_id

This key is for Encryption peer’s identity

type: keyword

rsa.crypto.sig_type

This key captures the Signature Type

type: keyword

rsa.crypto.cert_issuer

type: keyword

rsa.crypto.cert_host_name

Deprecated key defined only in table map.

type: keyword

rsa.crypto.cert_error

This key captures the Certificate Error String

type: keyword

rsa.crypto.cipher_dst

This key is for Destination (Server) Cipher

type: keyword

rsa.crypto.cipher_size_dst

This key captures Destination (Server) Cipher Size

type: long

rsa.crypto.ssl_ver_src

Deprecated, use version

type: keyword

rsa.crypto.d_certauth

type: keyword

rsa.crypto.s_certauth

type: keyword

rsa.crypto.ike_cookie1

ID of the negotiation — sent for ISAKMP Phase One

type: keyword

rsa.crypto.ike_cookie2

ID of the negotiation — sent for ISAKMP Phase Two

type: keyword

rsa.crypto.cert_checksum

type: keyword

rsa.crypto.cert_host_cat

This key is used for the hostname category value of a certificate

type: keyword

rsa.crypto.cert_serial

This key is used to capture the Certificate serial number only

type: keyword

rsa.crypto.cert_status

This key captures Certificate validation status

type: keyword

rsa.crypto.ssl_ver_dst

Deprecated, use version

type: keyword

rsa.crypto.cert_keysize

type: keyword

rsa.crypto.cert_username

type: keyword

rsa.crypto.https_insact

type: keyword

rsa.crypto.https_valid

type: keyword

rsa.crypto.cert_ca

This key is used to capture the Certificate signing authority only

type: keyword

rsa.crypto.cert_common

This key is used to capture the Certificate common name only

type: keyword

rsa.wireless.wlan_ssid

This key is used to capture the ssid of a Wireless Session

type: keyword

rsa.wireless.access_point

This key is used to capture the access point name.

type: keyword

rsa.wireless.wlan_channel

This is used to capture the channel names

type: long

rsa.wireless.wlan_name

This key captures either WLAN number/name

type: keyword

rsa.storage.disk_volume

A unique name assigned to logical units (volumes) within a physical disk

type: keyword

rsa.storage.lun

Logical Unit Number.This key is a very useful concept in Storage.

type: keyword

rsa.storage.pwwn

This uniquely identifies a port on a HBA.

type: keyword

rsa.physical.org_dst

This is used to capture the destination organization based on the GEOPIP Maxmind database.

type: keyword

rsa.physical.org_src

This is used to capture the source organization based on the GEOPIP Maxmind database.

type: keyword

rsa.healthcare.patient_fname

This key is for First Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_id

This key captures the unique ID for a patient

type: keyword

rsa.healthcare.patient_lname

This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.healthcare.patient_mname

This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information

type: keyword

rsa.endpoint.host_state

This key is used to capture the current state of the machine, such as <strong>blacklisted</strong>, <strong>infected</strong>, <strong>firewall disabled</strong> and so on

type: keyword

rsa.endpoint.registry_key

This key captures the path to the registry key

type: keyword

rsa.endpoint.registry_value

This key captures values or decorators used within a registry entry

type: keyword

fortinet

Fields from fortinet FortiOS

fortinet.file.hash.crc32

CRC32 Hash of file

type: keyword

firewall

Module for parsing Fortinet syslog.

fortinet.firewall.acct_stat

Accounting state (RADIUS)

type: keyword

fortinet.firewall.acktime

Alarm Acknowledge Time

type: keyword

fortinet.firewall.act

Action

type: keyword

fortinet.firewall.action

Status of the session

type: keyword

fortinet.firewall.activity

HA activity message

type: keyword

fortinet.firewall.addr

IP Address

type: ip

fortinet.firewall.addr_type

Address Type

type: keyword

fortinet.firewall.addrgrp

Address Group

type: keyword

fortinet.firewall.adgroup

AD Group Name

type: keyword

fortinet.firewall.admin

Admin User

type: keyword

fortinet.firewall.age

Time in seconds - time passed since last seen

type: integer

fortinet.firewall.agent

User agent - eg. agent="Mozilla/5.0"

type: keyword

fortinet.firewall.alarmid

Alarm ID

type: integer

fortinet.firewall.alert

Alert

type: keyword

fortinet.firewall.analyticscksum

The checksum of the file submitted for analytics

type: keyword

fortinet.firewall.analyticssubmit

The flag for analytics submission

type: keyword

fortinet.firewall.ap

Access Point

type: keyword

fortinet.firewall.app-type

Address Type

type: keyword

fortinet.firewall.appact

The security action from app control

type: keyword

fortinet.firewall.appid

Application ID

type: integer

fortinet.firewall.applist

Application Control profile

type: keyword

fortinet.firewall.apprisk

Application Risk Level

type: keyword

fortinet.firewall.apscan

The name of the AP, which scanned and detected the rogue AP

type: keyword

fortinet.firewall.apsn

Access Point

type: keyword

fortinet.firewall.apstatus

Access Point status

type: keyword

fortinet.firewall.aptype

Access Point type

type: keyword

fortinet.firewall.assigned

Assigned IP Address

type: ip

fortinet.firewall.assignip

Assigned IP Address

type: ip

fortinet.firewall.attachment

The flag for email attachement

type: keyword

fortinet.firewall.attack

Attack Name

type: keyword

fortinet.firewall.attackcontext

The trigger patterns and the packetdata with base64 encoding

type: keyword

fortinet.firewall.attackcontextid

Attack context id / total

type: keyword

fortinet.firewall.attackid

Attack ID

type: integer

fortinet.firewall.auditid

Audit ID

type: long

fortinet.firewall.auditscore

The Audit Score

type: keyword

fortinet.firewall.audittime

The time of the audit

type: long

fortinet.firewall.authgrp

Authorization Group

type: keyword

fortinet.firewall.authid

Authentication ID

type: keyword

fortinet.firewall.authproto

The protocol that initiated the authentication

type: keyword

fortinet.firewall.authserver

Authentication server

type: keyword

fortinet.firewall.bandwidth

Bandwidth

type: keyword

fortinet.firewall.banned_rule

NAC quarantine Banned Rule Name

type: keyword

fortinet.firewall.banned_src

NAC quarantine Banned Source IP

type: keyword

fortinet.firewall.banword

Banned word

type: keyword

fortinet.firewall.botnetdomain

Botnet Domain Name

type: keyword

fortinet.firewall.botnetip

Botnet IP Address

type: ip

fortinet.firewall.bssid

Service Set ID

type: keyword

fortinet.firewall.call_id

Caller ID

type: keyword

fortinet.firewall.carrier_ep

The FortiOS Carrier end-point identification

type: keyword

fortinet.firewall.cat

DNS category ID

type: integer

fortinet.firewall.category

Authentication category

type: keyword

fortinet.firewall.cc

CC Email Address

type: keyword

fortinet.firewall.cdrcontent

Cdrcontent

type: keyword

fortinet.firewall.centralnatid

Central NAT ID

type: integer

fortinet.firewall.cert

Certificate

type: keyword

fortinet.firewall.cert-type

Certificate type

type: keyword

fortinet.firewall.certhash

Certificate hash

type: keyword

fortinet.firewall.cfgattr

Configuration attribute

type: keyword

fortinet.firewall.cfgobj

Configuration object

type: keyword

fortinet.firewall.cfgpath

Configuration path

type: keyword

fortinet.firewall.cfgtid

Configuration transaction ID

type: keyword

fortinet.firewall.cfgtxpower

Configuration TX power

type: integer

fortinet.firewall.channel

Wireless Channel

type: integer

fortinet.firewall.channeltype

SSH channel type

type: keyword

fortinet.firewall.chassisid

Chassis ID

type: integer

fortinet.firewall.checksum

The checksum of the scanned file

type: keyword

fortinet.firewall.chgheaders

HTTP Headers

type: keyword

fortinet.firewall.cldobjid

Connector object ID

type: keyword

fortinet.firewall.client_addr

Wifi client address

type: keyword

fortinet.firewall.cloudaction

Cloud Action

type: keyword

fortinet.firewall.clouduser

Cloud User

type: keyword

fortinet.firewall.column

VOIP Column

type: integer

fortinet.firewall.command

CLI Command

type: keyword

fortinet.firewall.community

SNMP Community

type: keyword

fortinet.firewall.configcountry

Configuration country

type: keyword

fortinet.firewall.connection_type

FortiClient Connection Type

type: keyword

fortinet.firewall.conserve

Flag for conserve mode

type: keyword

fortinet.firewall.constraint

WAF http protocol restrictions

type: keyword

fortinet.firewall.contentdisarmed

Email scanned content

type: keyword

fortinet.firewall.contenttype

Content Type from HTTP header

type: keyword

fortinet.firewall.cookies

VPN Cookie

type: keyword

fortinet.firewall.count

Counts of action type

type: integer

fortinet.firewall.countapp

Number of App Ctrl logs associated with the session

type: integer

fortinet.firewall.countav

Number of AV logs associated with the session

type: integer

fortinet.firewall.countcifs

Number of CIFS logs associated with the session

type: integer

fortinet.firewall.countdlp

Number of DLP logs associated with the session

type: integer

fortinet.firewall.countdns

Number of DNS logs associated with the session

type: integer

fortinet.firewall.countemail

Number of email logs associated with the session

type: integer

fortinet.firewall.countff

Number of ff logs associated with the session

type: integer

fortinet.firewall.countips

Number of IPS logs associated with the session

type: integer

fortinet.firewall.countssh

Number of SSH logs associated with the session

type: integer

fortinet.firewall.countssl

Number of SSL logs associated with the session

type: integer

fortinet.firewall.countwaf

Number of WAF logs associated with the session

type: integer

fortinet.firewall.countweb

Number of Web filter logs associated with the session

type: integer

fortinet.firewall.cpu

CPU Usage

type: integer

fortinet.firewall.craction

Client Reputation Action

type: integer

fortinet.firewall.criticalcount

Number of critical ratings

type: integer

fortinet.firewall.crl

Client Reputation Level

type: keyword

fortinet.firewall.crlevel

Client Reputation Level

type: keyword

fortinet.firewall.crscore

Some description

type: integer

fortinet.firewall.cveid

CVE ID

type: keyword

fortinet.firewall.daemon

Daemon name

type: keyword

fortinet.firewall.datarange

Data range for reports

type: keyword

fortinet.firewall.date

Date

type: keyword

fortinet.firewall.ddnsserver

DDNS server

type: ip

fortinet.firewall.desc

Description

type: keyword

fortinet.firewall.detectionmethod

Detection method

type: keyword

fortinet.firewall.devcategory

Device category

type: keyword

fortinet.firewall.devintfname

HA device Interface Name

type: keyword

fortinet.firewall.devtype

Device type

type: keyword

fortinet.firewall.dhcp_msg

DHCP Message

type: keyword

fortinet.firewall.dintf

Destination interface

type: keyword

fortinet.firewall.disk

Assosciated disk

type: keyword

fortinet.firewall.disklograte

Disk logging rate

type: long

fortinet.firewall.dlpextra

DLP extra information

type: keyword

fortinet.firewall.docsource

DLP fingerprint document source

type: keyword

fortinet.firewall.domainctrlauthstate

CIFS domain auth state

type: integer

fortinet.firewall.domainctrlauthtype

CIFS domain auth type

type: integer

fortinet.firewall.domainctrldomain

CIFS domain auth domain

type: keyword

fortinet.firewall.domainctrlip

CIFS Domain IP

type: ip

fortinet.firewall.domainctrlname

CIFS Domain name

type: keyword

fortinet.firewall.domainctrlprotocoltype

CIFS Domain connection protocol

type: integer

fortinet.firewall.domainctrlusername

CIFS Domain username

type: keyword

fortinet.firewall.domainfilteridx

Domain filter ID

type: integer

fortinet.firewall.domainfilterlist

Domain filter name

type: keyword

fortinet.firewall.ds

Direction with distribution system

type: keyword

fortinet.firewall.dst_int

Destination interface

type: keyword

fortinet.firewall.dstintfrole

Destination interface role

type: keyword

fortinet.firewall.dstcountry

Destination country

type: keyword

fortinet.firewall.dstdevcategory

Destination device category

type: keyword

fortinet.firewall.dstdevtype

Destination device type

type: keyword

fortinet.firewall.dstfamily

Destination OS family

type: keyword

fortinet.firewall.dsthwvendor

Destination HW vendor

type: keyword

fortinet.firewall.dsthwversion

Destination HW version

type: keyword

fortinet.firewall.dstinetsvc

Destination interface service

type: keyword

fortinet.firewall.dstosname

Destination OS name

type: keyword

fortinet.firewall.dstosversion

Destination OS version

type: keyword

fortinet.firewall.dstserver

Destination server

type: integer

fortinet.firewall.dstssid

Destination SSID

type: keyword

fortinet.firewall.dstswversion

Destination software version

type: keyword

fortinet.firewall.dstunauthusersource

Destination unauthenticated source

type: keyword

fortinet.firewall.dstuuid

UUID of the Destination IP address

type: keyword

fortinet.firewall.duid

DHCP UID

type: keyword

fortinet.firewall.eapolcnt

EAPOL packet count

type: integer

fortinet.firewall.eapoltype

EAPOL packet type

type: keyword

fortinet.firewall.encrypt

Whether the packet is encrypted or not

type: integer

fortinet.firewall.encryption

Encryption method

type: keyword

fortinet.firewall.epoch

Epoch used for locating file

type: integer

fortinet.firewall.espauth

ESP Authentication

type: keyword

fortinet.firewall.esptransform

ESP Transform

type: keyword

fortinet.firewall.eventtype

UTM Event Type

type: keyword

fortinet.firewall.exch

Mail Exchanges from DNS response answer section

type: keyword

fortinet.firewall.exchange

Mail Exchanges from DNS response answer section

type: keyword

fortinet.firewall.expectedsignature

Expected SSL signature

type: keyword

fortinet.firewall.expiry

FortiGuard override expiry timestamp

type: keyword

fortinet.firewall.fams_pause

Fortinet Analysis and Management Service Pause

type: integer

fortinet.firewall.fazlograte

FortiAnalyzer Logging Rate

type: long

fortinet.firewall.fctemssn

FortiClient Endpoint SSN

type: keyword

fortinet.firewall.fctuid

FortiClient UID

type: keyword

fortinet.firewall.field

NTP status field

type: keyword

fortinet.firewall.filefilter

The filter used to identify the affected file

type: keyword

fortinet.firewall.filehashsrc

Filehash source

type: keyword

fortinet.firewall.filtercat

DLP filter category

type: keyword

fortinet.firewall.filteridx

DLP filter ID

type: integer

fortinet.firewall.filtername

DLP rule name

type: keyword

fortinet.firewall.filtertype

DLP filter type

type: keyword

fortinet.firewall.fortiguardresp

Antispam ESP value

type: keyword

fortinet.firewall.forwardedfor

Email address forwarded

type: keyword

fortinet.firewall.fqdn

FQDN

type: keyword

fortinet.firewall.frametype

Wireless frametype

type: keyword

fortinet.firewall.freediskstorage

Free disk integer

type: integer

fortinet.firewall.from

From email address

type: keyword

fortinet.firewall.from_vcluster

Source virtual cluster number

type: integer

fortinet.firewall.fsaverdict

FSA verdict

type: keyword

fortinet.firewall.fwserver_name

Web proxy server name

type: keyword

fortinet.firewall.gateway

Gateway ip address for PPPoE status report

type: ip

fortinet.firewall.green

Memory status

type: keyword

fortinet.firewall.groupid

User Group ID

type: integer

fortinet.firewall.ha-prio

HA Priority

type: integer

fortinet.firewall.ha_group

HA Group

type: keyword

fortinet.firewall.ha_role

HA Role

type: keyword

fortinet.firewall.handshake

SSL Handshake

type: keyword

fortinet.firewall.hash

Hash value of downloaded file

type: keyword

fortinet.firewall.hbdn_reason

Heartbeat down reason

type: keyword

fortinet.firewall.highcount

Highcount fabric summary

type: integer

fortinet.firewall.host

Hostname

type: keyword

fortinet.firewall.iaid

DHCPv6 id

type: keyword

fortinet.firewall.icmpcode

Destination Port of the ICMP message

type: keyword

fortinet.firewall.icmpid

Source port of the ICMP message

type: keyword

fortinet.firewall.icmptype

The type of ICMP message

type: keyword

fortinet.firewall.identifier

Network traffic identifier

type: integer

fortinet.firewall.in_spi

IPSEC inbound SPI

type: keyword

fortinet.firewall.incidentserialno

Incident serial number

type: integer

fortinet.firewall.infected

Infected MMS

type: integer

fortinet.firewall.infectedfilelevel

DLP infected file level

type: integer

fortinet.firewall.informationsource

Information source

type: keyword

fortinet.firewall.init

IPSEC init stage

type: keyword

fortinet.firewall.initiator

Original login user name for Fortiguard override

type: keyword

fortinet.firewall.interface

Related interface

type: keyword

fortinet.firewall.intf

Related interface

type: keyword

fortinet.firewall.invalidmac

The MAC address with invalid OUI

type: keyword

fortinet.firewall.ip

Related IP

type: ip

fortinet.firewall.iptype

Related IP type

type: keyword

fortinet.firewall.keyword

Keyword used for search

type: keyword

fortinet.firewall.kind

VOIP kind

type: keyword

fortinet.firewall.lanin

LAN incoming traffic in bytes

type: long

fortinet.firewall.lanout

LAN outbound traffic in bytes

type: long

fortinet.firewall.lease

DHCP lease

type: integer

fortinet.firewall.license_limit

Maximum Number of FortiClients for the License

type: keyword

fortinet.firewall.limit

Virtual Domain Resource Limit

type: integer

fortinet.firewall.line

VOIP line

type: keyword

fortinet.firewall.live

Time in seconds

type: integer

fortinet.firewall.local

Local IP for a PPPD Connection

type: ip

fortinet.firewall.log

Log message

type: keyword

fortinet.firewall.login

SSH login

type: keyword

fortinet.firewall.lowcount

Fabric lowcount

type: integer

fortinet.firewall.mac

DHCP mac address

type: keyword

fortinet.firewall.malform_data

VOIP malformed data

type: integer

fortinet.firewall.malform_desc

VOIP malformed data description

type: keyword

fortinet.firewall.manuf

Manufacturer name

type: keyword

fortinet.firewall.masterdstmac

Master mac address for a host with multiple network interfaces

type: keyword

fortinet.firewall.mastersrcmac

The master MAC address for a host that has multiple network interfaces

type: keyword

fortinet.firewall.mediumcount

Fabric medium count

type: integer

fortinet.firewall.mem

Memory usage system statistics

type: integer

fortinet.firewall.meshmode

Wireless mesh mode

type: keyword

fortinet.firewall.message_type

VOIP message type

type: keyword

fortinet.firewall.method

HTTP method

type: keyword

fortinet.firewall.mgmtcnt

The number of unauthorized client flooding managemet frames

type: integer

fortinet.firewall.mode

IPSEC mode

type: keyword

fortinet.firewall.module

PCI-DSS module

type: keyword

fortinet.firewall.monitor-name

Health Monitor Name

type: keyword

fortinet.firewall.monitor-type

Health Monitor Type

type: keyword

fortinet.firewall.mpsk

Wireless MPSK

type: keyword

fortinet.firewall.msgproto

Message Protocol Number

type: keyword

fortinet.firewall.mtu

Max Transmission Unit Value

type: integer

fortinet.firewall.name

Name

type: keyword

fortinet.firewall.nat

NAT IP Address

type: keyword

fortinet.firewall.netid

Connector NetID

type: keyword

fortinet.firewall.new_status

New status on user change

type: keyword

fortinet.firewall.new_value

New Virtual Domain Name

type: keyword

fortinet.firewall.newchannel

New Channel Number

type: integer

fortinet.firewall.newchassisid

New Chassis ID

type: integer

fortinet.firewall.newslot

New Slot Number

type: integer

fortinet.firewall.nextstat

Time interval in seconds for the next statistics.

type: integer

fortinet.firewall.nf_type

Notification Type

type: keyword

fortinet.firewall.noise

Wifi Noise

type: integer

fortinet.firewall.old_status

Original Status

type: keyword

fortinet.firewall.old_value

Original Virtual Domain name

type: keyword

fortinet.firewall.oldchannel

Original channel

type: integer

fortinet.firewall.oldchassisid

Original Chassis Number

type: integer

fortinet.firewall.oldslot

Original Slot Number

type: integer

fortinet.firewall.oldsn

Old Serial number

type: keyword

fortinet.firewall.oldwprof

Old Web Filter Profile

type: keyword

fortinet.firewall.onwire

A flag to indicate if the AP is onwire or not

type: keyword

fortinet.firewall.opercountry

Operating Country

type: keyword

fortinet.firewall.opertxpower

Operating TX power

type: integer

fortinet.firewall.osname

Operating System name

type: keyword

fortinet.firewall.osversion

Operating System version

type: keyword

fortinet.firewall.out_spi

Out SPI

type: keyword

fortinet.firewall.outintf

Out interface

type: keyword

fortinet.firewall.passedcount

Fabric passed count

type: integer

fortinet.firewall.passwd

Changed user password information

type: keyword

fortinet.firewall.path

Path of looped configuration for security fabric

type: keyword

fortinet.firewall.peer

WAN optimization peer

type: keyword

fortinet.firewall.peer_notif

VPN peer notification

type: keyword

fortinet.firewall.phase2_name

VPN phase2 name

type: keyword

fortinet.firewall.phone

VOIP Phone

type: keyword

fortinet.firewall.pid

Process ID

type: integer

fortinet.firewall.policytype

Policy Type

type: keyword

fortinet.firewall.poolname

IP Pool name

type: keyword

fortinet.firewall.port

Log upload error port

type: integer

fortinet.firewall.portbegin

IP Pool port number to begin

type: integer

fortinet.firewall.portend

IP Pool port number to end

type: integer

fortinet.firewall.probeproto

Link Monitor Probe Protocol

type: keyword

fortinet.firewall.process

URL Filter process

type: keyword

fortinet.firewall.processtime

Process time for reports

type: integer

fortinet.firewall.profile

Profile Name

type: keyword

fortinet.firewall.profile_vd

Virtual Domain Name

type: keyword

fortinet.firewall.profilegroup

Profile Group Name

type: keyword

fortinet.firewall.profiletype

Profile Type

type: keyword

fortinet.firewall.qtypeval

DNS question type value

type: integer

fortinet.firewall.quarskip

Quarantine skip explanation

type: keyword

fortinet.firewall.quotaexceeded

If quota has been exceeded

type: keyword

fortinet.firewall.quotamax

Maximum quota allowed - in seconds if time-based - in bytes if traffic-based

type: long

fortinet.firewall.quotatype

Quota type

type: keyword

fortinet.firewall.quotaused

Quota used - in seconds if time-based - in bytes if trafficbased)

type: long

fortinet.firewall.radioband

Radio band

type: keyword

fortinet.firewall.radioid

Radio ID

type: integer

fortinet.firewall.radioidclosest

Radio ID on the AP closest the rogue AP

type: integer

fortinet.firewall.radioiddetected

Radio ID on the AP which detected the rogue AP

type: integer

fortinet.firewall.rate

Wireless rogue rate value

type: keyword

fortinet.firewall.rawdata

Raw data value

type: keyword

fortinet.firewall.rawdataid

Raw data ID

type: keyword

fortinet.firewall.rcvddelta

Received bytes delta

type: keyword

fortinet.firewall.reason

Alert reason

type: keyword

fortinet.firewall.received

Server key exchange received

type: integer

fortinet.firewall.receivedsignature

Server key exchange received signature

type: keyword

fortinet.firewall.red

Memory information in red

type: keyword

fortinet.firewall.referralurl

Web filter referralurl

type: keyword

fortinet.firewall.remote

Remote PPP IP address

type: ip

fortinet.firewall.remotewtptime

Remote Wifi Radius authentication time

type: keyword

fortinet.firewall.reporttype

Report type

type: keyword

fortinet.firewall.reqtype

Request type

type: keyword

fortinet.firewall.request_name

VOIP request name

type: keyword

fortinet.firewall.result

VPN phase result

type: keyword

fortinet.firewall.role

VPN Phase 2 role

type: keyword

fortinet.firewall.rssi

Received signal strength indicator

type: integer

fortinet.firewall.rsso_key

RADIUS SSO attribute value

type: keyword

fortinet.firewall.ruledata

Rule data

type: keyword

fortinet.firewall.ruletype

Rule type

type: keyword

fortinet.firewall.scanned

Number of Scanned MMSs

type: integer

fortinet.firewall.scantime

Scanned time

type: long

fortinet.firewall.scope

FortiGuard Override Scope

type: keyword

fortinet.firewall.security

Wireless rogue security

type: keyword

fortinet.firewall.sensitivity

Sensitivity for document fingerprint

type: keyword

fortinet.firewall.sensor

NAC Sensor Name

type: keyword

fortinet.firewall.sentdelta

Sent bytes delta

type: keyword

fortinet.firewall.seq

Sequence number

type: keyword

fortinet.firewall.serial

WAN optimisation serial

type: keyword

fortinet.firewall.serialno

Serial number

type: keyword

fortinet.firewall.server

AD server FQDN or IP

type: keyword

fortinet.firewall.session_id

Session ID

type: keyword

fortinet.firewall.sessionid

WAD Session ID

type: integer

fortinet.firewall.setuprate

Session Setup Rate

type: long

fortinet.firewall.severity

Severity

type: keyword

fortinet.firewall.shaperdroprcvdbyte

Received bytes dropped by shaper

type: integer

fortinet.firewall.shaperdropsentbyte

Sent bytes dropped by shaper

type: integer

fortinet.firewall.shaperperipdropbyte

Dropped bytes per IP by shaper

type: integer

fortinet.firewall.shaperperipname

Traffic shaper name (per IP)

type: keyword

fortinet.firewall.shaperrcvdname

Traffic shaper name for received traffic

type: keyword

fortinet.firewall.shapersentname

Traffic shaper name for sent traffic

type: keyword

fortinet.firewall.shapingpolicyid

Traffic shaper policy ID

type: integer

fortinet.firewall.signal

Wireless rogue API signal

type: integer

fortinet.firewall.size

Email size in bytes

type: long

fortinet.firewall.slot

Slot number

type: integer

fortinet.firewall.sn

Security fabric serial number

type: keyword

fortinet.firewall.snclosest

SN of the AP closest to the rogue AP

type: keyword

fortinet.firewall.sndetected

SN of the AP which detected the rogue AP

type: keyword

fortinet.firewall.snmeshparent

SN of the mesh parent

type: keyword

fortinet.firewall.spi

IPSEC SPI

type: keyword

fortinet.firewall.src_int

Source interface

type: keyword

fortinet.firewall.srcintfrole

Source interface role

type: keyword

fortinet.firewall.srccountry

Source country

type: keyword

fortinet.firewall.srcfamily

Source family

type: keyword

fortinet.firewall.srchwvendor

Source hardware vendor

type: keyword

fortinet.firewall.srchwversion

Source hardware version

type: keyword

fortinet.firewall.srcinetsvc

Source interface service

type: keyword

fortinet.firewall.srcname

Source name

type: keyword

fortinet.firewall.srcserver

Source server

type: integer

fortinet.firewall.srcssid

Source SSID

type: keyword

fortinet.firewall.srcswversion

Source software version

type: keyword

fortinet.firewall.srcuuid

Source UUID

type: keyword

fortinet.firewall.sscname

SSC name

type: keyword

fortinet.firewall.ssid

Base Service Set ID

type: keyword

fortinet.firewall.sslaction

SSL Action

type: keyword

fortinet.firewall.ssllocal

WAD SSL local

type: keyword

fortinet.firewall.sslremote

WAD SSL remote

type: keyword

fortinet.firewall.stacount

Number of stations/clients

type: integer

fortinet.firewall.stage

IPSEC stage

type: keyword

fortinet.firewall.stamac

802.1x station mac

type: keyword

fortinet.firewall.state

Admin login state

type: keyword

fortinet.firewall.status

Status

type: keyword

fortinet.firewall.stitch

Automation stitch triggered

type: keyword

fortinet.firewall.subject

Email subject

type: keyword

fortinet.firewall.submodule

Configuration Sub-Module Name

type: keyword

fortinet.firewall.subservice

AV subservice

type: keyword

fortinet.firewall.subtype

Log subtype

type: keyword

fortinet.firewall.suspicious

Number of Suspicious MMSs

type: integer

fortinet.firewall.switchproto

Protocol change information

type: keyword

fortinet.firewall.sync_status

The sync status with the master

type: keyword

fortinet.firewall.sync_type

The sync type with the master

type: keyword

fortinet.firewall.sysuptime

System uptime

type: keyword

fortinet.firewall.tamac

the MAC address of Transmitter, if none, then Receiver

type: keyword

fortinet.firewall.threattype

WIDS threat type

type: keyword

fortinet.firewall.time

Time of the event

type: keyword

fortinet.firewall.to

Email to field

type: keyword

fortinet.firewall.to_vcluster

destination virtual cluster number

type: integer

fortinet.firewall.total

Total memory

type: integer

fortinet.firewall.totalsession

Total Number of Sessions

type: integer

fortinet.firewall.trace_id

Session clash trace ID

type: keyword

fortinet.firewall.trandisp

NAT translation type

type: keyword

fortinet.firewall.transid

HTTP transaction ID

type: integer

fortinet.firewall.translationid

DNS filter transaltion ID

type: keyword

fortinet.firewall.trigger

Automation stitch trigger

type: keyword

fortinet.firewall.trueclntip

File filter true client IP

type: ip

fortinet.firewall.tunnelid

IPSEC tunnel ID

type: integer

fortinet.firewall.tunnelip

IPSEC tunnel IP

type: ip

fortinet.firewall.tunneltype

IPSEC tunnel type

type: keyword

fortinet.firewall.type

Module type

type: keyword

fortinet.firewall.ui

Admin authentication UI type

type: keyword

fortinet.firewall.unauthusersource

Unauthenticated user source

type: keyword

fortinet.firewall.unit

Power supply unit

type: integer

fortinet.firewall.urlfilteridx

URL filter ID

type: integer

fortinet.firewall.urlfilterlist

URL filter list

type: keyword

fortinet.firewall.urlsource

URL filter source

type: keyword

fortinet.firewall.urltype

URL filter type

type: keyword

fortinet.firewall.used

Number of Used IPs

type: integer

fortinet.firewall.used_for_type

Connection for the type

type: integer

fortinet.firewall.utmaction

Security action performed by UTM

type: keyword

fortinet.firewall.utmref

Reference to UTM

type: keyword

fortinet.firewall.vap

Virtual AP

type: keyword

fortinet.firewall.vapmode

Virtual AP mode

type: keyword

fortinet.firewall.vcluster

virtual cluster id

type: integer

fortinet.firewall.vcluster_member

Virtual cluster member

type: integer

fortinet.firewall.vcluster_state

Virtual cluster state

type: keyword

fortinet.firewall.vd

Virtual Domain Name

type: keyword

fortinet.firewall.vdname

Virtual Domain Name

type: keyword

fortinet.firewall.vendorurl

Vulnerability scan vendor name

type: keyword

fortinet.firewall.version

Version

type: keyword

fortinet.firewall.vip

Virtual IP

type: keyword

fortinet.firewall.virus

Virus name

type: keyword

fortinet.firewall.virusid

Virus ID (unique virus identifier)

type: integer

fortinet.firewall.voip_proto

VOIP protocol

type: keyword

fortinet.firewall.vpn

VPN description

type: keyword

fortinet.firewall.vpntunnel

IPsec Vpn Tunnel Name

type: keyword

fortinet.firewall.vpntype

The type of the VPN tunnel

type: keyword

fortinet.firewall.vrf

VRF number

type: integer

fortinet.firewall.vulncat

Vulnerability Category

type: keyword

fortinet.firewall.vulnid

Vulnerability ID

type: integer

fortinet.firewall.vulnname

Vulnerability name

type: keyword

fortinet.firewall.vwlid

VWL ID

type: integer

fortinet.firewall.vwlquality

VWL quality

type: keyword

fortinet.firewall.vwlservice

VWL service

type: keyword

fortinet.firewall.vwpvlanid

VWP VLAN ID

type: integer

fortinet.firewall.wanin

WAN incoming traffic in bytes

type: long

fortinet.firewall.wanoptapptype

WAN Optimization Application type

type: keyword

fortinet.firewall.wanout

WAN outgoing traffic in bytes

type: long

fortinet.firewall.weakwepiv

Weak Wep Initiation Vector

type: keyword

fortinet.firewall.xauthgroup

XAuth Group Name

type: keyword

fortinet.firewall.xauthuser

XAuth User Name

type: keyword

fortinet.firewall.xid

Wireless X ID

type: integer