Event : Endpoint

Vendor Documentation

https://www.fortinet.com/products.html

https://docs.fortinet.com/document/fortigate/6.0.6/fortios-log-message-reference/524940/introduction

Classification

Rule Name	Rule Type	Classification	Common Event
Event : Endpoint	Base Rule	Information	Endpoint Profiling Activity
EVID 45057 : Add Connection	Sub Rule	Network Traffic	Connection Established
EVID 45058 : Close Connection	Sub Rule	Other Audit Success	Client Connection Closed

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
vd	<domainorigin>	Text/String
logid	<vmid>	Number
type	<policy>	Text/String
subtype	<subject>	Text/String
level	<severity>	Text/String
logdesc	<vendorinfo>	Text/String
action	<action> <tag1>	Text/String
status	<status>	Text/String
connection_type	<sessiontype>	Text/String
count	<quantity>	Number
user	<login>	Text/String
ip	<sip>	IP Address
name	<sname>	Text/String
srcip	<sip>	IP Address
srcname	<sname>	Text/String
srcmac	<smac>	MAC Address
vulnname	<objectname>	Text/String
vulncat	<objecttype>	Text/String
severity	<severity>	Text/String
vendorurl	<url>	Text/String
msg	<result>	Text/String