I’m renaming Fortigate’s field names from how Fortinet called them to a ECS compatible one. There is the integration section and there is also the exported field section. Which one do I have to follow? Three examples to understand my dilema:
Example 1:
Fortinet’s firewall, Fortigate has a field called action . In the integration section says that has to be called event.action , but in the exported fields section says it’s fortinet.firewall.action . Which one should I pick?
Example 2:
Foirtigate has a field called authserver , which is not present in the integration section, but in the exported fields is called fortinet.firewall.authserver . I guess I’ve to pick this one.
Example 3:
Fortigate has a field called filesize . In integration is called file.size and it doesn’t exists in exported fields.
So.. Should I take the names from integration and the rest from exported fields?
Why to do this? Because in alerts I can’t view the visual analysis because “it has some incompatible field mappings” (so far I have all the integration field names, but none from the exported fields section).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.