|
| 1 | +platform:FortiSiem |
| 2 | +description:Common field mapping |
| 3 | + |
| 4 | +field_mapping: |
| 5 | +TargetDetails:details |
| 6 | +Account_Name:user |
| 7 | +Computer_Name:computer |
| 8 | +Originating_Computer:srcName |
| 9 | +FileHash:hashCode |
| 10 | +FilePath:filePath |
| 11 | +Fqbn:hostName |
| 12 | +RuleId:ruleId# int type |
| 13 | +RuleName:ruleName |
| 14 | +CallTrace:procPath |
| 15 | +IntegrityLevel:integrityLevel |
| 16 | +ParentIntegrityLevel:procTrustLevel# int type |
| 17 | +Company:company |
| 18 | +ParentProcessGuid:procOwner |
| 19 | +LogonGuid:uuid |
| 20 | +ParentUser:userGrp |
| 21 | +Hashes:hashCode |
| 22 | +Imphash:hashIMP |
| 23 | +OriginalFilename:srcFileName |
| 24 | +OriginalFileName:srcFileName |
| 25 | +ParentProcess:parentProcName |
| 26 | +Product:product |
| 27 | +sha1:hashSHA1 |
| 28 | +DestPort:destIpPort# int type |
| 29 | +Destination:destIpAddr# ip type |
| 30 | +destination.port:destIpPort# int type |
| 31 | +HostApplication:appName |
| 32 | +TargetName:targetName |
| 33 | +TargetProcessAddress:destMACAddr |
| 34 | +Service:serviceName |
| 35 | +Source:eventSource |
| 36 | +ImagePath:serviceFileName |
| 37 | +Path:procPath |
| 38 | +Payload:dataPayload |
| 39 | +Properties:propName |
| 40 | +QueryName:queryId |
| 41 | +QueryResults:actionResult |
| 42 | +QueryStatus:status |
| 43 | +LogonProcessName:winLogonProc |
| 44 | +ServicePrincipalNames:principal |
| 45 | +HostVersion:version |
| 46 | +FailureCode:winKerbFailCode |
| 47 | +EngineVersion:version |
| 48 | +DeviceClassName:deviceType |
| 49 | +DeviceDescription:description |
| 50 | +Status:winLogonFailCode2 |
| 51 | +AccessList:fileAccess |
| 52 | +AccessMask:fileAccess |
| 53 | +AttributeLDAPDisplayName:propName |
| 54 | +ContextInfo:lineContent |
| 55 | +AttributeValue:propValue |
| 56 | +GroupSid:groupID |
| 57 | +AuditPolicyChanges:actionName |
| 58 | +CallingProcessName:procName |
| 59 | +GrantedAccess:accessKeyId |
| 60 | +KeyLength:msgLen |
| 61 | +keywords:msg |
| 62 | +Keywords:msg |
| 63 | +LayerRTID:permissionLevelID |
| 64 | +Level:permissionLevelType |
| 65 | +LDAPDisplayName:propName |
| 66 | +Value:propValue |
| 67 | +ObjectClass:osObjType |
| 68 | +ObjectServer:serverName |
| 69 | +ObjectValueName:osObjValue |
| 70 | +PipeName:vpnTunnelName |
| 71 | +PrivilegeList:privName |
| 72 | +RelativeTargetName:targetName |
| 73 | +SAMAccountName:accountName |
| 74 | +ScriptBlockText:script |
| 75 | +ShareName:fileName |
| 76 | +SidHistory:essId |
| 77 | +Signed:authResult |
| 78 | +StartFunction:funName |
| 79 | +StartModule:module |
| 80 | +TicketEncryptionType:encryptAlgo |
| 81 | +TicketOptions:kerbTicketOption |
| 82 | +IpAddress:srcIpAddr# ip type |
| 83 | +HiveName:procName |
| 84 | +DestinationIsIpv6:isIpv6 |
| 85 | +AllowedToDelegateTo:_win_isAllowedToDelegateTo_removed |
| 86 | +CallerProcessName:procName |
| 87 | +Caption:description |
| 88 | +CertThumbprint:certInfo |
| 89 | +ClassName:deviceType |
| 90 | +ModifyingApplication:appName |
| 91 | +OldTargetUserName:oldTargetUser |
| 92 | +ommandLine:command |
| 93 | +OriginalName:originalProcName |
| 94 | +Provider_Name:_win_providerName_removed |
| 95 | +param1:paraName |
| 96 | +param2:otherParaName |
| 97 | +RemoteAddress:remoteAddress |
| 98 | +SamAccountName:targetUser |
| 99 | +TargetUserSid:userId |
| 100 | +TargetSid:groupID |
| 101 | +TemplateContent:templateContent |
| 102 | +NewTemplateContent:newTemplateContent |
| 103 | +NewTargetUserName:targetUser |
| 104 | +RemoteName:targetName |
| 105 | +LocalName:filePath |
| 106 | +processPath:procName |
| 107 | +Action:eventAction# int type |
| 108 | +ApplicationPath:procPath |
| 109 | +SearchFilter:queryFilter |
| 110 | +Address:remoteAddress |
| 111 | +Origin:origLocation |
| 112 | +PasswordLastSet:passwordLastSet# Dara type |
| 113 | +TargetServerName:targetName |
| 114 | +ServerName:serverName |
| 115 | +DeviceName:hostName |
| 116 | +AuditSourceName:resourceName |
| 117 | +TargetLogonId:winLogonId |
| 118 | +ComputerName:computer |
| 119 | +CurrentDirectory:dirName |
| 120 | +Description:description |
| 121 | +FileVersion:fileVersion |
| 122 | +GroupName:targetUserGrp |
| 123 | +LogonId:winLogonId |
| 124 | +NewName:newObjValue |
| 125 | +ProcessName:procName |
| 126 | +QNAME:destName |
| 127 | +TargetFilename:fileName |
| 128 | +User:user |
| 129 | +Image:procName |
| 130 | +ParentImage:parentProcName |
| 131 | +CommandLine:command |
| 132 | +TaskName:task |
| 133 | +ServiceName:serviceName |
| 134 | +TargetObject:regKeyPath |
| 135 | +EventType:osObjAction |
| 136 | +EventID:eventType |
| 137 | +EventCode:eventType |
| 138 | +Details:details |
| 139 | +ParentCommandLine:parentCommand |
| 140 | +Message:msg |
| 141 | +HostName:hostName |
| 142 | +FileName:fileName |
| 143 | +TargetImage:targetProcName |
| 144 | +Accesses:osObjAccessType |
| 145 | +AccountName:user |
| 146 | +DestinationIp:destIpAddr# ip type |
| 147 | +DestinationPort:destIpPort# int type |
| 148 | +DestinationHostname:destName |
| 149 | +DestinationAddress:destIpAddr# ip type |
| 150 | +ObjectType:osObjType |
| 151 | +ObjectName:osObjName |
| 152 | +SourceImage:procName |
| 153 | +SourceAddress:srcIpAddr# ip type |
| 154 | +SourcePort:srcIpPort# int type |
| 155 | +SourceNetworkAddress:srcIpAddr# ip type |
| 156 | +SourceWorkstation:srcName |
| 157 | +TargetUserName:user |
| 158 | +UserName:user |
| 159 | +SubjectDomainName:domain |
| 160 | +SubjectLogonId:winLogonId |
| 161 | +SubjectUserName:user |
| 162 | +SubjectUserSid:securityId |
| 163 | +Workstation:computer |
| 164 | +WorkstationName:computer |
| 165 | +ServiceFileName:serviceFileName |
| 166 | +Signature:signatureName |
| 167 | +ImageLoaded:loadedProcName |
| 168 | +LogonType:winLogonType# int type |
| 169 | +AuthenticationPackage:procName |
| 170 | +AuthenticationPackageName:authenMethod |
| 171 | +Device:deviceIdentification |
| 172 | +PolicyName:policyName |
| 173 | +TargetProcessId:targetProcId |
| 174 | +TargetUser:targetUser |
| 175 | +NewValue:newObjValue |
| 176 | +SubjectAccountName:user |
| 177 | +ClientAddress:srcIpAddr# ip type |
| 178 | +ProcessID:procId |
| 179 | +TargetFileName:fileName |
| 180 | +AccountDomain:domain |
| 181 | +Computer:computer |
| 182 | +DomainName:targetDomain |
| 183 | +Initiated:initiated |
| 184 | +Commandline:command |
| 185 | +ProcessCommandLine:command |
| 186 | +Channel:activityType |
| 187 | +ServiceType:serviceType |
| 188 | +ServiceStartType:serviceStartType |
| 189 | +#network |
| 190 | +dst_ip:destIpAddr# ip type |
| 191 | +src_ip:srcIpAddr# ip type |
| 192 | +dst_port:destIpPort# int type |
| 193 | +src_port:srcIpPort# int type |
| 194 | +dns_query:uriQuery |
| 195 | +uri_query:uriQuery |
| 196 | +parent_domain:domain |
| 197 | +record_type:type |
| 198 | +query:queryId |
| 199 | +action:activityName |
| 200 | +operation:opName |
| 201 | +c-useragent:httpUserAgent |
| 202 | +c-uri:httpEndUri |
| 203 | +endpoint:targetName |
| 204 | +service:serviceName |
| 205 | +path:procPath |
| 206 | +name:procName |
| 207 | +cipher:password |
| 208 | +request_type:type |
| 209 | +answer:actionResult |
| 210 | +resp_mime_types:type |
| 211 | +message_size:msgLen# int type |
| 212 | +question_length:size# int type |
| 213 | +cs-method:httpMethod |
| 214 | +sc-status:status |
| 215 | +method:httpMethod |
| 216 | +referer:httpReferrer |
| 217 | +useragent:httpUserAgent |
| 218 | +clientip:srcIpAddr# int type |
| 219 | +MachineName:hostName |
| 220 | +TargetPort:destIpPort# int type |
| 221 | +DestAddress:destIpAddr# ip type |
| 222 | +SourceIp:srcIpAddr# ip type |
| 223 | +AppName:appName |
| 224 | +Binary:code |
| 225 | +ClientProcessId:procId |
| 226 | +ParentProcessId:parentProcId |
| 227 | +Data:lineContent |
| 228 | +ErrorCode:errorCode |
| 229 | +FileNameBuffer:fileName |
| 230 | +ProcessNameBuffer:procName |
| 231 | +RequestedPolicy:policyIdentity |
| 232 | +ValidatedPolicy:recipientPolicyId |
| 233 | +FilterOrigin:filter |
| 234 | +Application:appName |
| 235 | +AppID:appName |
| 236 | +ImageName:procName |
| 237 | +ImpersonationLevel:permissionLevelID |
| 238 | +Name:procName |
| 239 | +PackageFullName:procName |
| 240 | +PackagePath:procPath |
| 241 | +ProcessId:procId |
| 242 | +ProcessPath:procPath |
| 243 | +Protocol:srcProto |
| 244 | +SidList:userId |
| 245 | +SourceCommandLine:command |
| 246 | +SourceHostname:srcName |
| 247 | +TargetOutboundUserName:user |
| 248 | +TaskContent:task |
| 249 | +TaskContentNew:task |
| 250 | +md5:hashMD5 |
| 251 | +param3:swParam |
| 252 | +process:procName |
| 253 | +sha256:hashSHA256 |
| 254 | +subjectName:subjectContainsWords |
| 255 | +ExceptionCode:errorCode |
| 256 | +SignatureStatus:signatureStatus |
| 257 | +payload:dataPayload |
