In reports generated by FortiAnalyzer, some URLs are obfuscated such that the period or dot “.” and colon ":" are replaced with the words [dot] and/or [colon] respectively.
This article explains why this happens..
How to generate data reports in FortiAnalyzer: https://docs.fortinet.com/document/fortianalyzer/6.2.0/administration-guide/136416/reports
This behavior is by design.
In certain scenarios, a PDF reader will activate URLs found in the report, and as such any malicious or threat bearing URLs shown in a report would become active hyperlinks and potentially lead users towards a website that had been blocked.
While this behavior does not happen by default, (FortiAnalyzer does not activate hyperlink URLs in the report), enabling ‘Databinding Format as URL’ in the PDF reader or simply having an URL start with ‘www’ does inadvertently result in URL text becoming an active hyperlink in the PDF reader.
To mitigate this behavior, when a threat report where blocked or malicious URLs are shown, the reports have been altered to replace the period or “.” dot character in the URL, with [dot] and ":" with [colon]
For instance, 'http://www.malware.com' is replaced as 'http[colon]//www[dot]malware[dot]com'.
Below is an example of such behavior in a report file.