Understanding FortiNDR Log Metadata and All Log Types for SIEM Integration

Hello sectea, 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Hello again sectea,

I found this solution. Can you tell us if it helps you?

FortiNDR (Fortinet Network Detection and Response) logs are rich in metadata and cover multiple log types such as detection logs, malware logs, AV events, network anomalies, and attack events. For integrating these logs into a SIEM, understanding the detailed structure and meaning of each field is crucial.

While official Fortinet documentation provides some samples, a more comprehensive approach includes:

1. Log Types Covered by FortiNDR:

   • Detection Logs: Events related to network anomalies, suspicious activities, or potential intrusions detected by FortiNDR sensors.
   • Malware Logs: Detailed records of malware detected on the network, including attributes like file hash (MD5), file type, detection time, and remediation status.
   • AV Logs: Antivirus-related events, often overlapping with malware logs, showing detections and actions taken.
   • Network Anomaly Logs: Capture unusual network traffic patterns or behaviors that may indicate an attack or compromise.
   • Attack Events: Specific logs detailing types of attacks detected, their sources, targets, and severity.
     
     

2. Metadata and Field Details: Each log entry typically contains:

   • Timestamp: When the event was detected.
   • Source and Destination IPs: Network endpoints involved.
   • Event Type: Classification of the log (e.g., malware detection, anomaly).
   • Severity Level: Criticality of the event.
   • File Attributes: For malware logs, includes file name, hash (MD5), file type.
   • Detection Method: How the threat was identified (signature, heuristic, behavior).
   • Action Taken: Whether the threat was quarantined, blocked, or allowed.
   • Device ID and Sensor Info: Which FortiNDR device or sensor generated the log.
     
     

3. Examples and Parsing Tips:

   • Malware logs often include a summary view with detailed metadata accessible on demand.
   • Detection logs include contextual information such as user identity, process involved, and network protocol.
   • Logs can be in JSON or other structured formats, making parsing into SIEM easier if you map each field explicitly.
     
     

4. Guides and References:

   • Fortinet’s official administration guides for FortiNDR versions (like 7.6.3) offer detailed explanations of malware logs and detection event fields.
   • Release notes and product documentation sometimes include tables of log fields and examples.
   • Fortinet community forums and support threads can provide user-shared insights and expanded examples.
   • Some whitepapers and technical blogs on Fortinet’s site or cybersecurity forums discuss integration best practices and detailed log parsing.
     
     

For your integration, I recommend obtaining the latest FortiNDR administration guide and release notes for your version, as these documents provide the most detailed field-level descriptions and examples of logs including malware, AV, and detection events

Hello again ,

Thank you for your response, it was very helpful.
I would like to ask for clarification on a few points related to detection type metadata, as this information is important for defining comprehensive SIEM use cases.

1. Antivirus (AV) Log Detection Types
Based on the AV log samples (in Fortinet's documentation), my understanding is that the detection types are primarily reflected in the metadata field detypelst.
For example:
detypelst="worm,trojan,downloader"
detypecounts="64,64,2"
From this, I understand that detypelst contains the list of detection categories associated with the event.
However, I would like to clarify the following:
Is the list of possible values for detypelst is aligned with malware attack scenario categories?
Or is there an official or exhaustive list of all possible detection types that may appear in detypelst?
Because for example, “downloader” does not appear to be explicitly listed in common malware attack scenario documentation, which raises the question of whether additional internal categories exist. Having a complete list would help to ensure that all relevant SIEM detection and correlation use cases are properly covered.

2. NDR Log Subtypes
Regarding NDR logs, the samples I reviewed suggest that SIEM use cases can be built primarily based on the subtype metadata.
According to Fortinet documentation and observed samples, the following subtypes are mentioned:
Botnet/Encrypted/IOC/IPS attack/Weak cipher/ML
Could you please confirm:
Whether this represents the complete list of NDR detection subtypes
Or if there are additional subtypes that may appear in production environments
A list would help ensure accurate detection mapping and rule coverage.

3. NetFlow Logs – Detection Tags
For NetFlow logs, it appears that the tag field represents the detection or alert category, as shown in the example below:
tag="Phishing"
Could you please clarify:
Is there a defined list of possible values for the tag field?
Understanding the full range of possible tags would allow us to design complete and consistent SIEM alerting and threat classification use cases.

Thank you in advance for your support and clarification. This information will greatly help us align detection logic and SIEM use case coverage with Fortinet’s detection capabilities.

Kind Regards,