0% found this document useful (0 votes)

29 views176 pages

FortiAnalyzer-5.2.2 Dataset Reference

Uploaded by

tarr0241

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

29 views176 pages

FortiAnalyzer-5.2.2 Dataset Reference

Uploaded by

tarr0241

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 176

FortiAnalyzer Dataset Reference

VERSION 5.2.2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

FortiAnalyzer Dataset Reference

April 22, 2015

05-522-268748-20150422
TABLE OF CONTENTS

Introduction 4
Overview 5
Understanding Datasets and Macros 6
Creating Custom Datasets 7
To create a custom dataset in the web-based manager 7
Testing SQL Query 8
Examples of SQL Query Errors 8
Examples of Custom Datasets 9
Example 1: Distribution of applications by type in the last 24 hours 10
Example 2: Top 100 applications by bandwidth in the last 24 hours 11
Log Database Tables 12
Dataset Reference List 16
Macro Reference List 173
Introduction

This document provides information about the various types of FortiAnalyzer datasets which are created based on the
FortiGate log SQL tables and messages. These datasets are used to create charts and reports.

It describes the procedure for creating custom datasets, and also lists the types of log tables used to assist in writing
SQL queries to create the datasets.

4 Dataset Reference
Fortinet Inc.
Overview

FortiAnalyzer uses the PostgreSQL and remote MySQL databases to store the log data generated by the FortiGate.

To create a chart based on the FortiGate logs in a local or remote database, you can use either the predefined
datasets, or create your own custom datasets by querying the logs in the SQL database in FortiAnalyzer.

Understanding Datasets and Macros 6

5 Dataset Reference
Fortinet Inc.
Overview Understanding Datasets and Macros

Understanding Datasets and Macros

FortiAnalyzer datasets are collections of log messages from monitored devices.

If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL
Database, it does not create log tables for that device.

Charts in FortiAnalyzer are generated based on the datasets. To create a chart, you can use either the predefined
datasets, or create your own custom datasets by querying the log messages in the SQL database on the FortiAnalyzer
unit. Both predefined and custom datasets can be cloned, but only custom datasets can be deleted. You can also view
the SQL query for a dataset, and test the query against specific devices or log arrays.

You can create custom reports that contain macros created based on predefined and custom datasets. Macros are
used to dynamically display the device log data as text in a report. They can be embedded within a text field of a
paragraph in a report layout in XML format. Macros display a single value, such as a user name, highest session count,
or highest bandwidth etc.

To view and configure datasets, go to Reports > Advanced > Dataset in the left navigation pane of the web-based
manager. For more information, refer to the Dataset section in the FortiAnalyzer Administration Guide.

To view and configure macros, go to Reports> Macro Library in the left navigation pane of the web-based manager.
For more information, refer to the Macro Library section in the FortiAnalyzer Administration Guide.

NOTE: FortiAnalyzer v5.0 Patch Release 5 introduced new datasets for SIP and SCCP. FortiAnalyzer v5.0 Patch
Release 6 introduced new datasets for Botnet (Botnet-Activity-By-Sources, Botnet-Infected-Hosts, Botnet-Sources, Botnet-
Timeline, and Detected-Botnet).

6 Dataset Reference
Fortinet Inc.
Creating Custom Datasets

This section describes the procedure to create datasets in the FortiAnalyzer web-based manager.

To create a custom dataset in the web-based manager

1. Go to Reports> Advanced > Dataset.

2. Click Create New.

3. Configure the following, then click OK.

The following table describes the GUI fields of the New Dataset dialog box.

Field Description

Name Name of the data set.

Log Type Log Type to be used for the data set.

$log is used in the SQL query to represent the log type you
select, and it is run against all tables of this type.

Devices Select All Devices to create datasets on all of FortiAna-

lyzer managed devices or select Specify to choose a device
on which you want to create the dataset.

7 Dataset Reference
Fortinet Inc.
Testing SQL Query

Field Description

Query Enter the SQL query syntax to retrieve the log data you want
from the SQL database.

Time Period Select to use logs from a time frame.

Select Other to define a custom time frame by selecting the
Start Time and End Time. $filter is used in the SQL query
"where" clause to limit the results to the period you select.

Test Click to test whether or not the SQL query is successful.

Testing SQL Query

You can verify the SQL query that you used to create the custom dataset before saving the dataset configuration by
testing and viewing the query results.

To test a SQL query:

1. Click Test after entering the SQL query in the New Dataset dialog box.
The query results are displayed. If the query is not successful, an error message appears in the results pane.

Examples of SQL Query Errors

Here are some example error messages and possible causes:

Syntax Errors
You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or
near... (local/PostgreSQL)

l Check that SQL keywords are spelled correctly, and that the query is well-formed.
l Table and column names are demarked by grave accent (`) characters. Single (') and double (") quotation marks will
cause an error.

No data is covered.

l The query is correctly formed, but no data has been logged for the log type. Check that you have configured the
FortiAnalyzer unit to save that log type. Under System >

Config > SQL Database, ensure that the log type is checked.

Connection Errors
If well formed queries do not produce results, and logging is turned on for the log type, there may be a database
configuration problem with the remote database.

Dataset Reference 8
Fortinet Inc.
Examples of Custom Datasets

Ensure that:

l MySQL is running and using the default port3306.

l You have created an empty database and a user with create permissions for the database.

Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

#Mysql –u root –p

mysql> Create database fazlogs;

mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’

identified by ‘fazpassword’;

mysql> Grant all privileges on fazlogs.* to

‘fazlogger’@’localhost’ identified by ‘fazpassword’;

For more information about using SQL queries for creating datasets, refer to the

FortiAnalyzer™ and FortiGate™ Version 4.0 MR2 SQL Log Database Query Technical Note on the Fortinet
Documentation Library at docs.fortinet.com.

Examples of Custom Datasets

The following examples illustrate how to create custom datasets using the web-based manager GUI. Once created,
you can use the datasets to configure chart templates under Reports > Chart Library.

9 Dataset Reference
Fortinet Inc.
Examples of Custom Datasets

Example 1: Distribution of applications by type in the last 24 hours

GUI Procedure
1. Go to Reports> Advanced > Dataset.
2. Click Create New.
3. Select Application Control under Log Type.
4. Enter a name, such as "apps_type_24hrs".
5. Select Last N Hours under Time Period.
6. Enter the query:
SELECT app_type, COUNT( * ) AS totalnum
FROM $log
WHERE $filter
AND app_type IS NOT NULL
GROUP BY app_type
ORDER BY totalnum DESC

Dataset Reference 10
Fortinet Inc.
Examples of Custom Datasets

Notes:

l $filter restricts the query result to the time period specified; in this case, it’s the past 24 hours.
l $log queries all application control logs
l The application control module classifies each firewall session in app_type. One firewall session may be classified
to multiple app_types. For example, an HTTPsession can be classified to: HTTP, Facebook, etc.
l Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or ‘N/A’. These will be
ignored by this query.

The result is ordered by the total session number of the same app_type. The most frequent app_types will appear first.

Example 2: Top 100 applications by bandwidth in the last 24 hours

1. GUI Procedure
2. Go to Reports> Advanced > Dataset.
3. Click Create New.
4. Select Application Control under Log Type.
5. Enter a name, such as "top_100_aps_24hrs".
6. Select Last N Hours under Time Period.
7. Enter the query:
SELECT (
TIMESTAMP - TIMESTAMP %3600
) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log
WHERE $filter and app IS NOT NULL
GROUP BY app
ORDER BY volume DESC
LIMIT 100

NOTE:
l (timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to indicate bandwidth per hour.
l SUM( sent + rcvd ) AS volume - this calculates the total sent and received bytes.
l ORDER BY volume DESC - this orders the results by descending volume (largest volume first).
l LIMIT 100 - this lists only the top 100 applications.

11 Dataset Reference
Fortinet Inc.
Log Database Tables

The FortiAnalyzer and FortiGate units create SQL database tables to record log data. These tables are generated for
high log rate and low log rate devices.

The naming convention for the log SQL tables is:

High log rate:

<devtype>]-ADOM[<admon_oid><log-type>-timestamp]

and

Low log rate:

<devtype>ADOM<adom_oid>-ALLELSE-<log-type>-<timestamp>-<delta-timestamp>

where the device type can be any one of the following:

Example:
FGTADOM141-tlog-0, FGTADOM141-ALLELSE-tlog-0-0

<devtype> : "FGT/FMG/FML/FCT/FWB/FCH/FAZ/SYS/..."

{"FGT", "FortiGate"},

{"FMG", "FortiManager"},

{"SYS", "Syslog"},

{"FCT", "FortiClient"},

{"FML", "FortiMail"},

{"FWB", "FortiWeb"},

{"FCH", "FortiCache"},

{"FAZ", "FortiAnalyzer"},

{"FSA", "FortiSandbox"},

Log Type SQL Table Description

Type

Traffic tlog The traffic log records all traffic to and through the FortiGate
interface.

Event elog The event log records management and activity events. For
example, when an administrator logs in or logs out of the web-
based manager.

Antivirus vlog The antivirus log records virus incidents in Web, FTP, and email
traffic.

12 Dataset Reference
Fortinet Inc.
Log Database Tables

Log Type SQL Table Description

Type

Webfilter wlog The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.

Attack attack_log The attack log records attacks that are detected and prevented
by the FortiGate unit.

Data Leak Prevention dlog The Data Leak Prevention log records log data that is con-
sidered sensitive and that should not be made public. This log
also records data that a company does not want entering their
network.

Application Control rlog The application control log records data detected by the
FortiGate unit and the action taken against the network traffic
depending on the application that is generating the traffic, for
example, instant messaging software, such as MSN Mes-
senger.

Spamfilter spamfilter_log The spam filter log records blocking of email address patterns
and content in SMTP, IMAP, and POP3 traffic.

Content clog The content log records all network content that is transmitted
through the network.

Netscan nlog The netscan log records data related to network security and
scan.

Sniffer xlog The sniffer log records each packet raw data for traffic bot-
tlenecks.

VOIP plog The VOIP log records detailed protocol specific logs for VOIP
traffic.

To view all the tables created in a database, use the following commands:

l local (PostgreSQL) database: SELECT * FROM pg_tables

l remote (MySQL): SHOW TABLES

FortiAnalyzer and FortiGate logs also include log sub-types, which are types of log messages that are within the main
log type. For example, in the event log type there are the subtype admin log messages.

For more information on FortiGate Log Types and Messages, refer to the FortiOS/FortiGate Log Message Reference
Guide on the Fortinet Documentation Library at: docs.fortinet.com.

Dataset Reference 13
Fortinet Inc.
Log Database Tables

Log Type Sub Type

traffic (Traffic Log) • allowed – Policy allowed traffic

• violation - Policy violation traffic
• other

event (Event Log) For FortiGate devices:

l system – System activity event
l ipsec – IPSec negotiation event
l dhcp – DHCP service event
l ppp – L2TP/PPTP/PPPoE service event
l admin – admin event
l ha – HA activity event
l auth – Firewall authentication event
l pattern – Pattern update event
l alertemail – Alert email notifications
l chassis – FortiGate-4000 and FortiGate-5000 series
chassis event
l sslvpn-user – SSL VPN user event
l sslvpn-admin – SSL VPN administration event
l sslvpn-session – SSL VPN session event
l his-performance – performance statistics
l vipssl – VIP SSL events
l ldb-monitor – LDB monitor events

dlp (Data Leak Prevention) l dlp – Data Leak Prevention

app-crtl (Application Control Log) l app-crtl-all – All application control

virus (Antivirus Log) l infected – Virus infected

l filename – Filename blocked
l oversize – File oversized

webfilter (Web Filter Log) l content – content block

l urlfilter – URL filter
l FortiGuard block
l FortiGuard allowed
l FortiGuard error
l ActiveX script filter
l Cookie script filter
l Applet script filter

ips (Attack Log) l signature – Attack signature

l anomaly – Attack anomaly

14 Dataset Reference
Fortinet Inc.
Log Database Tables

Log Type Sub Type

email filter (Spam Filter Log) l SMTP

l POP3
l IMAP

Dataset Reference 15
Fortinet Inc.
Dataset Reference List

The following table lists the available predefined data sets reported by FortiAnalyzer. For documentation and technical
support reference purposes, this table contains the dataset names, SQL query syntax for each dataset, and the log
category of the dataset.

Dataset Name Description Log Category

Traffic- Traffic bandwidth timeline traffic

Bandwidth-
Summary-Day-
Of-Month

select
$flex_timescale as hodex,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
hodex
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
hodex

Session- Number of session timeline traffic

Summary-Day-
Of-Month

16 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Users-By- Bandwidth application top users traffic

Bandwidth by bandwidth usage

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Top-App-By- Top applications by bandwidth traffic

Bandwidth usage

Dataset Reference 17
Fortinet Inc.
Dataset Reference List

Top-User- Top user source by session traffic

Source-By- count
Sessions

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
order by
sessions desc

Top-App-By- Top applications by session traffic

Sessions count

18 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Destination- Top destinations by session traffic

Addresses-By- count
Sessions

select
coalesce(
nullifna(
root_domain(hostname)
),
ipstr(dstip)
) as domain,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
domain
order by
sessions desc

Top-Destination- Top destinations by bandwidth traffic

Addresses-By- usage
Bandwidth

Dataset Reference 19
Fortinet Inc.
Dataset Reference List

DHCP- Event top dhcp summary event

Summary-By-
Port

20 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drop
table if exists pre_clt_list;
drop
table if exists cur_clt_list;
drop
table if exists allocated_ip; create temporary table pre_clt_list as ###
(select concat(interface, '.', devid) as intf, mac from $log where $last3day_
period $filter and logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by
interface, devid, mac)###; create temporary table cur_clt_list as ###(select con-
cat(interface, '.', devid) as intf, mac from $log where $filter and logid_to_int
(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid, mac)###; create
temporary table allocated_ip as select distinct on (1) intf, cast
(used*100.0/total as decimal(18,2)) as percent_of_allocated_ip from ###(select
distinct on (1) concat(interface, '.', devid) as intf, used, total, itime from
$log where $filter and logid_to_int(logid)=26003 and total>0 order by 1, itime
desc)### t order by 1, itime desc; select t1.intf as interface, percent_of_alloc-
ated_ip, new_cli_count from allocated_ip t1 inner join (select intf, count(mac)
as new_cli_count from cur_clt_list where not exists (select 1 from pre_clt_list
where cur_clt_list.mac=pre_clt_list.mac) group by intf) t2 on t1.intf=t2.intf
order by interface, percent_of_allocated_ip desc

Top-Wifi-Client- Traffic top WiFi client by traffic

By-Bandwidth bandwidth usage

Dataset Reference 21
Fortinet Inc.
Dataset Reference List

Traffic-History- Traffic history by active user traffic

By-Active-User

select
hodex,
count(
distinct(user_src)
) as total_user
from
###(select $flex_timescale as hodex, coalesce(nullifna(`user`), nullifna(`un-
authuser`), ipstr(`srcip`)) as user_src from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) group by hodex, user_src order by hodex)### t group by
hodex order by hodex

22 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Allowed- UTM top allowed web sites by traffic

Websites-By- request
Requests

select
hostname,
catdesc,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and hostname is not null
and (
utmaction not in ('block', 'blocked')
or action != 'deny'
)
group by
hostname,
catdesc
order by
requests desc

Top-50- Webfilter top allowed web sites webfilter

Websites-By- by bandwidth usage
Bandwidth

Dataset Reference 23
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
domain,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
###(select coalesce(nullifna(hostname), ipstr(`srcip`)) as domain, catdesc,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvd-
byte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and utmaction!='blocked' group by domain, catdesc having sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### union all ###(select
coalesce(nullifna(hostname), ipstr(`srcip`)) as domain, catdesc, sum(coalesce
(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as
traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-webfilter where
$filter and (eventtype is null or logver = 52) and action!='blocked' group by
domain, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order
by bandwidth desc)###) t group by domain, catdesc order by bandwidth desc

Top-Blocked- UTM top blocked web sites by traffic

Websites request

select
hostname,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and hostname is not null
and (
utmaction in ('block', 'blocked')
or action = 'deny'
)
group by
hostname
order by
requests desc

Top-Web-Users- UTM top web users by request traffic

By-Request

24 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Allowed- UTM top allowed websites by traffic

WebSites-By- bandwidth usage
Bandwidth

Dataset Reference 25
Fortinet Inc.
Dataset Reference List

Top-Blocked- UTM top blocked web users traffic

Web-Users

26 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-20-Web- Webfilter top web users by webfilter

Users-By- bandwidth usage
Bandwidth

Dataset Reference 27
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as band-
width, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as
traffic_out from $log-traffic where $filter and logid_to_int(logid) not in (4,
7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-
block', 'script-filter') group by user_src having sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0))>0 order by bandwidth desc)### union all ###(select coalesce
(nullifna(ùser`), ipstr(`srcip`)) as user_src, sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum
(coalesce(sentbyte, 0)) as traffic_out from $log-webfilter where $filter and
(eventtype is null or logver = 52) group by user_src having sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)###) t group by user_
src order by bandwidth desc

Top-Web-Users- UTM top web users by traffic

By-Bandwidth bandwidth usage

28 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Video- UTM top video streaming traffic

Streaming- websites by bandwidth usage
Websites-By-
Bandwidth

Dataset Reference 29
Fortinet Inc.
Dataset Reference List

Top-Email- Default top email senders by traffic

Senders-By- count
Count

30 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Email- Default email top receivers by traffic

Receivers-By- count
Count

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and service in (
'pop3', 'POP3', '110/tcp', 'imap',
'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp'
)
group by
user_src
order by
requests desc

Top-Email- Default email top senders by traffic

Senders-By- bandwidth usage
Bandwidth

Dataset Reference 31
Fortinet Inc.
Dataset Reference List

Top-Email- Default email top receivers by traffic

Receivers-By- bandwidth usage
Bandwidth

32 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Malware- UTM top virus traffic

By-Name

select
virus,
(
case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%'
then 'Adware' else 'Virus' end
) as malware_type,
sum(totalnum) as totalnum
from
(
###(select virus, count(*) as totalnum from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and virus is not
null group by virus order by totalnum desc)### union all ###(select virus, count
(*) as totalnum from $log-virus where $filter and (eventtype is null or logver =
52) and nullifna(virus) is not null group by virus order by totalnum desc)###) t
group by virus, malware_type order by totalnum desc

Top-Virus-By- UTM top virus traffic

Name

Dataset Reference 33
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Virus-Victim UTM top virus user traffic

select
user_src,
sum(totalnum) as totalnum
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, count(*) as totalnum from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and virus is not
null group by user_src order by totalnum desc)### union all ###(select coalesce
(nullifna(ùser`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-
virus where $filter and (eventtype is null or logver = 52) and nullifna(virus)
is not null group by user_src order by totalnum desc)###) t group by user_src
order by totalnum desc

Top-Attack- UTM top attack source attack

Source

select
coalesce(
nullifna(`user`),
ipstr(`srcip`)
) as user_src,
count(*) as totalnum
from
$log
where
$filter
group by
user_src
order by
totalnum desc

34 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Attack- UTM top attack dest attack

Victim

select
dstip,
count(*) as totalnum
from
$log
where
$filter
and dstip is not null
group by
dstip
order by
totalnum desc

Top-Static- Top static IPsec tunnels by event

IPSEC-Tunnels- bandwidth usage
By-Bandwidth

select
vpn_name,
sum(traffic_in + traffic_out) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
tunnelid,
vpn_name,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid,
max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and subtype='vpn' and tunneltype like
'ipsec%' and (tunnelip is null or (tunnelip='0.0.0.0' and coalesce(logver, 0)!-
!=52)) and action in ('tunnel-stats', 'tunnel-down') and tunnelid is not null
group by devid, vd, remip, vpn_name, tunnelid)### t group by devid, vd, remip,
vpn_name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0
order by bandwidth desc

Top-SSL-VPN- Top SSL VPN tunnel users by event

Tunnel-Users- bandwidth usage
By-Bandwidth

Dataset Reference 35
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
remip as remote_ip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
user_src,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as
user_src, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0))
as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte,
0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max
(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $filter and sub-
type='vpn' and tunneltype='ssl-tunnel' and action in ('tunnel-stats', 'tunnel-
down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null
and tunnelid is not null group by devid, vd, user_src, remip, tunnelid)### t
group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip
having sum(bandwidth)>0 order by bandwidth desc

Top-Dial-Up- Top dial up IPsec tunnels by event

IPSEC-Tunnels- bandwidth usage
By-Bandwidth

36 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
vpn_name,
sum(traffic_out + traffic_in) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
tunnelid,
remip,
vpn_name,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid,
max(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and nullifna(vpntunnel) is not null and sub-
type='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or (tun-
nelip='0.0.0.0' and coalesce(logver, 0)!=52)) and action in ('tunnel-stats',
'tunnel-down') and tunnelid is not null group by devid, vd, remip, vpn_name, tun-
nelid)### t group by devid, vd, remip, vpn_name, tunnelid) tt group by vpn_name
having sum(traffic_out+traffic_in)>0 order by bandwidth desc

Top-Dial-Up- Top dial up IPsec users by event

IPSEC-Users-By- bandwidth usage
Bandwidth

Dataset Reference 37
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
remip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, nullifna(`xauthuser`) as xauthuser_agg, nullifna
(`user`) as user_agg, remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out,
min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_
traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $fil-
ter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or
(tunnelip='0.0.0.0' and coalesce(logver, 0)!=52)) and action in ('tunnel-stats',
'tunnel-down', 'tunnel-up') and tunnelid is not null group by devid, vd, xau-
thuser_agg, user_agg, remip, tunnelid)### t group by devid, vd, remip, tunnelid)
tt group by user_src, remip having sum(bandwidth)>0 order by bandwidth desc

38 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Dial-Up- Top dial up IPsec users by event

IPSEC-Users-By- duration
Duration

Dataset Reference 39
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
from_dtime(
min(s_time)
) as start_time,
sum(duration) as duration,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_duration) else max(max_
duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nul-
lifna(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min
(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_
traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sent-
byte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from
$log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tun-
nelip is null or (tunnelip='0.0.0.0' and coalesce(logver, 0)!=52)) and action
in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null group
by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by tunnelid)### t
group by devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)
>0 order by duration desc

40 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-SSL-VPN- Top SSL VPN web mode users event

Web-Mode- by bandwidth usage
Users-By-
Bandwidth

select
user_src,
remip as remote_ip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
user_src,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, coalesce(nullifna(`user`), ipstr(`remip`)) as user_
src, remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0))
as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte,
0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max
(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $filter and sub-
type='vpn' and tunneltype='ssl-web' and action in ('tunnel-stats', 'tunnel-
down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null
and tunnelid is not null group by devid, vd, user_src, remip, tunnelid)### t
group by devid, vd, user_src, remip, tunnelid) tt group by user_src, remote_ip
having sum(bandwidth)>0 order by bandwidth desc

Dataset Reference 41
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-SSL-VPN- Top SSL VPN users by duration event

Users-By-
Duration

select
user_src,
tunneltype,
sum(duration) as duration,
sum(traffic_out + traffic_in) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
user_src,
tunneltype,
tunnelid,
max(duration) as duration,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as
user_src, tunnelid, tunneltype, max(coalesce(duration, 0)) as duration, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in
from $log where $filter and subtype='vpn' and tunneltype like 'ssl%' and action
in ('tunnel-stats', 'tunnel-down') and coalesce(nullifna(`user`), ipstr
(`remip`)) is not null and tunnelid is not null group by devid, vd, remip, user_
src, tunnelid, tunneltype)### t group by devid, vd, remip, user_src, tunnelid,
tunneltype) tt group by user_src, tunneltype having sum(traffic_out+traffic_in)
>0 order by duration desc

vpn-Top-Dial- Top dial up VPN users by event

Up-VPN-Users- duration
By-Duration

42 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
t_type as tunneltype,
from_dtime(
min(s_time)
) as start_time,
sum(duration) as duration,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
t_type,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_duration) else max(max_
duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nul-
lifna(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else
tunneltype end) as t_type, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min
(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_
traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sent-
byte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from
$log where $filter and subtype='vpn' and (tunneltype like 'ssl%' or (tunneltype
like 'ipsec%' and not (tunnelip is null or (tunnelip='0.0.0.0' and coalesce
(logver, 0)!=52)))) and action in ('tunnel-stats', 'tunnel-down', 'tunnel-up')
and tunnelid is not null group by devid, vd, remip, xauthuser_agg, user_agg, t_
type, tunnelid)### t group by devid, vd, remip, t_type, tunnelid) tt group by
user_src, tunneltype having sum(bandwidth)>0 order by duration desc
Dataset Reference 43
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

vpn-User-Login- VPN user login history event

history

select
hodex,
sum(total_num) as total_num
from
(
select
hodex,
devid,
vd,
remip,
tunnelid,
sum(tunnelup) as total_num,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select $flex_timescale as hodex, devid, vd, remip, tunnelid, (case
when action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte,
0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where
$filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like
'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid
is not null group by hodex, action, devid, vd, remip, tunnelid)### t group by
hodex, devid, vd, remip, tunnelid having max(tunnelup) > 0 and max(traffic_in)
+max(traffic_out)>0 )tt group by hodex order by total_num desc

vpn-Failed- VPN failed logins event

select
f_user,
tunneltype,
sum(total_num) as total_num
from
###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype,
count(*) as total_num from $log where $filter and subtype='vpn' and (tun-
neltype='ipsec' or left(tunneltype, 3)='ssl') and action in ('ssl-login-fail',
'ipsec-login-fail') and coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not
null group by f_user, tunneltype)### t group by f_user, tunneltype order by
total_num desc

vpn- VPN authenticated logins event

Authenticated-
Logins

44 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as f_user,
t_type as tunneltype,
from_dtime(
min(s_time)
) as start_time,
sum(total_num) as total_num,
sum(duration) as duration
from
(
select
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
t_type,
devid,
vd,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_duration) else max(max_
duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out,
sum(tunnelup) as total_num
from
###(select nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as
user_agg, devid, vd, remip, (case when tunneltype like 'ipsec%' then 'ipsec'
else tunneltype end) as t_type, tunnelid, sum((case when action='tunnel-up' then
1 else 0 end)) as tunnelup, min(coalesce(dtime, 0)) as s_time, max(coalesce
(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min(coalesce
(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_traffic_out,
min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_
traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $fil-
ter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like 'ssl%')
and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and tunnelid is not
null group by xauthuser_agg, user_agg, devid, vd, remip, t_type, tunnelid)### t
group by t_type, devid, vd, remip, tunnelid having max(tunnelup) > 0) tt group
by f_user, tunneltype having sum(bandwidth) > 0 order by total_num desc

Dataset Reference 45
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

vpn-Traffic- VPN traffic usage trend event

Usage-Trend-
VPN-Summary

select
hodex,
sum(ssl_traffic_out + ssl_traffic_in) as ssl_bandwidth,
sum(
ipsec_traffic_out + ipsec_traffic_in
) as ipsec_bandwidth
from
(
select
hodex,
devid,
vd,
remip,
tunnelid,
(
case when t_type like 'ssl%' then max(traffic_in) else 0 end
) as ssl_traffic_in,
(
case when t_type like 'ssl%' then max(traffic_out) else 0 end
) as ssl_traffic_out,
(
case when t_type like 'ipsec%' then max(traffic_in) else 0 end
) as ipsec_traffic_in,
(
case when t_type like 'ipsec%' then max(traffic_out) else 0 end
) as ipsec_traffic_out
from
###(select $flex_timescale as hodex, devid, vd, remip, tunnelid, (case
when tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in
from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or tun-
neltype like 'ssl%') and action in ('tunnel-stats', 'tunnel-down') and tunnelid
is not null group by hodex, devid, vd, remip, t_type, tunnelid)### t group by
hodex, devid, t_type, vd, remip, tunnelid ) tt group by hodex order by hodex

Top-S2S-IPSEC- Top S2S IPsec tunnels by event

Tunnels-By- bandwidth usage and avail
Bandwidth-and-
Availability

46 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
vpntunnel,
tunneltype,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
vpntunnel,
tunneltype,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sent-
byte, 0)) as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvd-
byte, 0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce
(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end from
$log where $filter and subtype='vpn' and action='tunnel-stats' and tunneltype
like 'ipsec%' and (tunnelip is null or (tunnelip='0.0.0.0' and coalesce(logver,
0)!=52)) and nullifna(`user`) is null and tunnelid is not null group by tun-
nelid, tunneltype, vpntunnel, devid, vd order by tunnelid)### t group by vpn-
tunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t group by
vpntunnel, tunneltype order by bandwidth desc

Top-Dialup- Top dialup IPsec users by event

IPSEC-By- bandwidth usage and avail
Bandwidth-and-
Availability

Dataset Reference 47
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
remip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`),
ipstr(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as
sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as
rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as
duration_beg, max(coalesce(duration, 0)) as duration_end from $log where $filter
and subtype='vpn' and action='tunnel-stats' and tunneltype like 'ipsec%' and not
(tunnelip is null or (tunnelip='0.0.0.0' and coalesce(logver, 0)!=52)) and tun-
nelid is not null group by tunnelid, user_src, remip, devid, vd order by tun-
nelid)### t group by user_src, remip, tunnelid, devid, vd order by bandwidth
desc) t group by user_src, remip order by bandwidth desc

Top-SSL- Top SSL tunnel users by event

Tunnel-Mode- bandwidth usage and avail
By-Bandwidth-
and-Availability

48 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
remote_ip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip as remote_ip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_
src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sent-
byte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvd-
byte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce
(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and
action='tunnel-stats' and tunneltype in ('ssl-tunnel', 'ssl') and coalesce(nul-
lifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by tun-
nelid, user_src, remip, devid, vd order by tunnelid)### t group by user_src,
remote_ip, tunnelid, devid, vd order by bandwidth desc) t group by user_src,
remote_ip order by bandwidth desc

Top-SSL-Web- Top SSL web users by event

Mode-By- bandwidth usage and avail
Bandwidth-and-
Availability

Dataset Reference 49
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
remote_ip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip as remote_ip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_
src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce(sent-
byte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max(coalesce(rcvd-
byte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_beg, max(coalesce
(duration, 0)) as duration_end from $log where $filter and subtype='vpn' and
action='tunnel-stats' and tunneltype='ssl-web' and coalesce(nullifna(`user`),
ipstr(`remip`)) is not null and tunnelid is not null group by tunnelid, user_
src, remip, devid, vd order by tunnelid)### t group by user_src, remote_ip, tun-
nelid, devid, vd having sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 order by band-
width desc) t group by user_src, remote_ip order by bandwidth desc

Admin-Login- Event admin login summary event

Summary

50 Dataset Reference
Fortinet Inc.
Dataset Reference List

Admin-Login- Event admin login summary by event

Summary-By- date
Date

select
$flex_timescale as dom,
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
) as total_num,
count(state) as total_change
from
$log
where
$filter
and nullifna(`user`) is not null
and logid_to_int(logid) in (32001, 32003)
group by
dom
having
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
)> 0
order by
dom

Dataset Reference 51
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Admin-Failed- Event admin failed login event

select
`user` as f_user,
ui,
count(status) as total_failed
from
$log
where
$filter
and nullifna(`user`) is not null
and logid_to_int(logid) = 32002
group by
ui,
f_user
order by
total_failed desc

System- Event system summary by event

Summary-By- severity
Severity

select
(
case when level in ('critical', 'alert', 'emergency') then 'Critical' when
level = 'error' then 'High' when level = 'warning' then 'Medium' when level =
'notice' then 'Low' else 'Info' end
) as severity,
count(*) as total_num
from
$log
where
$filter
and subtype = 'system'
group by
severity
order by
total_num desc

System- Event system summary by date event

Summary-By-
Date

52 Dataset Reference
Fortinet Inc.
Dataset Reference List

System-Critical- Event system critical severity event

Severity-Events events

select
msg_desc as msg,
severity,
sum(count) as counts
from
###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in
('critical', 'alert', 'emergency') then 'Critical' when level='error' then
'High' when level='warning' then 'Medium' when level='notice' then 'Low' else
'Info' end) as severity, count(*) as count from $log where $filter and sub-
type='system' group by msg_desc, severity order by count desc)### t where sever-
ity='Critical' group by msg, severity order by counts desc

System-High- Event system high severity event

Severity-Events events

Dataset Reference 53
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

System- Event system medium severity event

Medium- events
Severity-Events

select
msg_desc as msg,
severity,
sum(count) as counts
from
###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in
('critical', 'alert', 'emergency') then 'Critical' when level='error' then
'High' when level='warning' then 'Medium' when level='notice' then 'Low' else
'Info' end) as severity, count(*) as count from $log where $filter and sub-
type='system' group by msg_desc, severity order by count desc)### t where sever-
ity='Medium' group by msg, severity order by counts desc

utm-drilldown- UTM drilldown traffic summary traffic

Top-Traffic-
Summary

select
srcip,
srcname
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, srcip, srcname from $log where $filter-exclude-var and logid_to_int
(logid) not in (4, 7, 14) group by user_src, srcip, srcname)### t where $filter-
var-only group by srcip, srcname

utm-drilldown- UTM drilldown top user traffic

Top-User- destination
Destination

54 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
appid,
app,
dstip,
sum(sessions) as sessions,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and dstip is not null and nullifna(app) is
not null group by user_src, appid, app, dstip having sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t where $filter-var-only
group by appid, app, dstip order by bandwidth desc

utm-drilldown- UTM drilldown email senders traffic

Email-Senders- summary
Summary

select
sum(requests) as requests,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and logid_to_int
(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp',
'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)
### t where $filter-var-only

utm-drilldown- UTM drilldown email receivers traffic

Email-Receivers- summary
Summary

select
sum(requests) as requests,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and logid_to_int
(logid) not in (4, 7, 14) and recipient is not null and service in ('pop3',
'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp',
'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order by requests
desc)### t where $filter-var-only

utm-drilldown- UTM drilldown top email traffic

Top-Email- recipients
Recipients-By-
Bandwidth

Dataset Reference 55
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
recipient,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and logid_to_int
(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp', 'imap',
'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')
group by user_src, recipient order by requests desc)### t where $filter-var-only
and recipient is not null group by recipient having sum(bandwidth)>0 order by
bandwidth desc

utm-drilldown- UTM drilldown top email traffic

Top-Email- senders
Senders-By-
Bandwidth

select
sender,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and logid_to_int
(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP', '25/tcp', '587/tcp',
'smtps', 'SMTPS', '465/tcp') group by user_src, sender order by requests desc)
### t where $filter-var-only and sender is not null group by sender having sum
(bandwidth)>0 order by bandwidth desc

utm-drilldown- UTM drilldown top allowed web traffic

Top-Allowed- sites by bandwidth
Websites-By-
Bandwidth

56 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
appid,
hostname,
sum(bandwidth) as bandwidth
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, appid, hostname, (case when utmaction='blocked' then 1 else
0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth
from $log-traffic where $filter-exclude-var and logid_to_int(logid) not in (4,
7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-
block', 'script-filter') and hostname is not null group by user_src, appid, host-
name, blocked order by bandwidth desc)### union all ###(select coalesce(nullifna
(ùser`), ipstr(`srcip`)) as user_src, 0 as appid, hostname, (case when action-
n='blocked' then 1 else 0 end) as blocked, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver = 52) and hostname is not null group by user_src,
appid, hostname, blocked order by bandwidth desc)###) t where $filter-var-only
and blocked=0 group by appid, hostname order by bandwidth desc

utm-drilldown- UTM drilldown top blocked web traffic

Top-Blocked- sites by request
Websites-By-
Request

select
appid,
hostname,
sum(requests) as requests
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, appid, hostname, (case when utmaction='blocked' then 1 else
0 end) as blocked, count(*) as requests from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is
not null group by user_src, appid, hostname, blocked order by requests desc)###
union all ###(select coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src, 0
as appid, hostname, (case when action='blocked' then 1 else 0 end) as blocked,
count(*) as requests from $log-webfilter where $filter-exclude-var and (event-
type is null or logver = 52) and hostname is not null group by user_src, appid,
hostname, blocked order by requests desc)###) t where $filter-var-only and
blocked=1 group by appid, hostname order by requests desc

utm-drilldown- UTM drilldown top virus traffic

Top-Virus-By-
Name

Dataset Reference 57
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
virus,
sum(totalnum) as totalnum
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, virus, count(*) as totalnum from $log-traffic where $filter-
exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null
and virus is not null group by user_src, virus order by totalnum desc)### union
all ###(select coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src, virus,
count(*) as totalnum from $log-virus where $filter-exclude-var and (eventtype is
null or logver = 52) and nullifna(virus) is not null group by user_src, virus
order by totalnum desc)###) t where $filter-var-only group by virus order by
totalnum desc

utm-drilldown- UTM drilldown top attacks by attack

Top-Attacks name

select
attack,
sum(attack_count) as attack_count
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack,
count(*) as attack_count from $log where $filter-exclude-var and nullifna
(attack) is not null group by user_src, attack order by attack_count desc)### t
where $filter-var-only group by attack order by attack_count desc

utm-drilldown- UTM drilldown top vulnerability netscan

Top-Vulnerability by name

select
vuln,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count
(*) as totalnum from $log where $filter-exclude-var and action='vuln-detection'
and vuln is not null group by user_src, vuln order by totalnum desc)### t where
$filter-var-only group by vuln order by totalnum desc

utm-drilldown- UTM drilldown top applications traffic

Top-App-By- by bandwidth usage
Bandwidth

58 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
appid,
app,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, appid, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, count(*) as sessions from $log where $filter-exclude-var and logid_
to_int(logid) not in (4, 7, 14) and nullifna(app) is not null group by user_src,
appid, app order by sessions desc)### t where $filter-var-only group by appid,
app having sum(bandwidth)>0 order by bandwidth desc

utm-drilldown- UTM drilldown top applications traffic

Top-App-By- by session count
Sessions

select
appid,
app,
sum(sessions) as sessions
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as user_src, appid, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, count(*) as sessions from $log where $filter-exclude-var and logid_
to_int(logid) not in (4, 7, 14) and nullifna(app) is not null group by user_src,
appid, app order by sessions desc)### t where $filter-var-only group by appid,
app order by sessions desc

Top5-Users-By- UTM drilldown top users by traffic

Bandwidth bandwidth usage

Dataset Reference 59
Fortinet Inc.
Dataset Reference List

bandwidth-app- Top applications by bandwidth traffic

Top-App-By- usage
Bandwidth-
Sessions

60 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

bandwidth-app- Application risk application traffic

Category-By- usage by category
Bandwidth

select
appcat,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(appcat) is not null
group by
appcat
order by
bandwidth desc

Dataset Reference 61
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

bandwidth-app- Bandwidth application top users traffic

Top-Users-By- by bandwidth usage
Bandwidth-
Sessions

bandwidth-app- Bandwidth application traffic by traffic

Traffic-By- active user number
Active-User-
Number

62 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

bandwidth-app- Bandwidth application top dest traffic

Top-Dest-By- by bandwidth usage sessions
Bandwidth-
Sessions

select
coalesce(
nullifna(
root_domain(hostname)
),
ipstr(`dstip`)
) as domain,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
appid,
domain
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

bandwidth-app- Top policies by bandwidth and traffic

Top-Policies-By- sessions
Bandwidth-
Sessions

Dataset Reference 63
Fortinet Inc.
Dataset Reference List

bandwidth-app- Bandwidth application traffic traffic

Traffic-Statistics statistics

64 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drop
table if exists stats_temp; create temporary table stats_temp(
total_sessions varchar(255),
total_bandwidth varchar(255),
ave_session varchar(255),
ave_bandwidth varchar(255),
active_date varchar(255),
total_users varchar(255),
total_app varchar(255),
total_dest varchar(255)
); insert into stats_temp (
total_sessions, total_bandwidth,
ave_session, ave_bandwidth
)
select
format_numeric_no_decimal(
sum(sessions)
) as total_sessions,
bandwidth_unit(
sum(bandwidth)
) as total_bandwidth,
format_numeric_no_decimal(
cast(
sum(sessions)/ $days_num as decimal(18, 0)
)
) as ave_session,
bandwidth_unit(
cast(
sum(bandwidth)/ $days_num as decimal(18, 0)
)
) as ave_bandwidth
from
###(select count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7,
14))### t; update stats_temp set active_date=t1.dom from (select dom, sum(ses-
sions) as sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) group by dom
order by sessions)### t group by dom order by sessions desc limit 1) as t1;
update stats_temp set total_users=t2.totalnum from (select format_numeric_no_
decimal(count(distinct(user_src))) as totalnum from ###(select distinct(coalesce
(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))) as user_src from
$log where $filter and logid_to_int(logid) not in (4, 7, 14))### t ) as t2;
update stats_temp set total_app=t3.totalnum from (select format_numeric_no_
decimal(count(distinct(app_group_name(app)))) as totalnum from ###(select dis-
tinct(app_group_name(app)) as app from $log where $filter and logid_to_int
(logid) not in (4, 7, 14))### t ) as t3; update stats_temp set total_dest-
t=t4.totalnum from (select format_numeric_no_decimal(count(distinct(dstip))) as
totalnum from ###(select distinct(dstip) as dstip from $log where $filter and
logid_to_int(logid) not in (4, 7, 14))### t ) as t4; select 'Total Sessions' as
summary, total_sessions as stats from stats_temp union all select 'Total Bytes
Transferred' as summary, total_bandwidth as stats from stats_temp union all
select 'Most Active Date By Sessions' as summary, active_date as stats from
stats_temp union all select 'Total Users' as summary, total_users as stats from
stats_temp union all select 'Total Applications' as summary, total_app as stats
from stats_temp union all select 'Total Destinations' as summary, total_dest as
stats from stats_temp union all select 'Average Sessions Per Day' as summary,
ave_session as stats from stats_temp union all select 'Average Bytes Per Day' as
summary,
Dataset ave_bandwidth as stats from stats_temp
Reference 65
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Score-Summary- Reputation score summary for traffic

For-All-Users- all users devices
Devices

select
$flex_timescale as hodex,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
hodex
having
sum(crscore % 65536)> 0
order by
hodex

Number-Of- Reputation number of incidents traffic

Incidents-For- for all users devices
All-Users-
Devices

select
$flex_timescale as hodex,
sum(crscore % 65536) as scores,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
hodex
having
sum(crscore % 65536)> 0
order by
hodex

Top-Users-By- Reputation top users by scores traffic

Reputation-
Scores

66 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Devices-By- Reputation top devices by traffic

Reputation- scores
Scores

select
devtype,
coalesce(
nullifna(`srcname`),
nullifna(`srcmac`),
ipstr(`srcip`)
) as dev_src,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
devtype,
dev_src
having
sum(crscore % 65536)> 0
order by
scores desc

Top-Users-With- Reputation top users with traffic

Increased- increased scores
Scores

Dataset Reference 67
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drop
table if exists prd1_usr_tbl;
drop
table if exists prd2_usr_tbl; create temporary table prd1_usr_tbl as ###
(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) as f_
user, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and
logid_to_int(logid) not in (4, 7, 14) and crscore is not null group by f_user
having sum(crscore%65536)>0 order by sum_rp_score desc)###; create temporary
table prd2_usr_tbl as ###(select coalesce(nullifna(ùser`), nullifna(ùn-
authuser`), ipstr(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from
$log where $filter and logid_to_int(logid) not in (4, 7, 14) and crscore is not
null group by f_user having sum(crscore%65536)>0 order by sum_rp_score desc)###;
select t1.f_user, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as
t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from prd1_
usr_tbl as t1 inner join prd2_usr_tbl as t2 on t1.f_user=t2.f_user where t2.sum_
rp_score > t1.sum_rp_score group by t1.f_user order by delta desc

Top-Devices- Reputation top devices with traffic

With-Increased- increased scores
Scores

drop
table if exists prd1_dev_tbl;
drop
table if exists prd2_dev_tbl; create temporary table prd1_dev_tbl as ###
(select coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_
device, devtype, sum(crscore%65536) as sum_rp_score from $log where $pre_period
$filter and logid_to_int(logid) not in (4, 7, 14) and crscore is not null group
by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###;
create temporary table prd2_dev_tbl as ###(select coalesce(nullifna(`sr-
cname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum
(crscore%65536) as sum_rp_score from $log where $filter and logid_to_int(logid)
not in (4, 7, 14) and crscore is not null group by f_device, devtype having sum
(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_device, t1.devtype
, sum(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score,
(sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from prd1_dev_tbl as t1
inner join prd2_dev_tbl as t2 on t1.f_device=t2.f_device and t1.dev-
type=t2.devtype where t2.sum_rp_score > t1.sum_rp_score group by t1.f_device,
t1.devtype order by delta desc

Attacks-By- Threat attacks by severity attack

Severity

68 Dataset Reference
Fortinet Inc.
Dataset Reference List

Top-Attacks- Threat top attacks detected attack

Detected

select
attack,
severity,
sum(attack_count) as attack_count
from
###(select attack, severity, (case when severity = 'critical' then 1 when
severity = 'high' then 2 when severity = 'medium' then 3 when severity = 'low'
then 4 else 5 end) as severity_level, count(*) as attack_count from $log where
$filter and nullifna(attack) is not null group by attack, severity, severity_
level order by severity_level, attack_count desc)### t group by attack, sever-
ity, severity_level order by severity_level, attack_count desc

Top-Attacks- Threat top attacks blocked attack

Blocked

select
attack,
count(*) as attack_count
from
$log
where
$filter
and nullifna(attack) is not null
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack
order by
attack_count desc

Dataset Reference 69
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Virus- Threat top virus source traffic

Source

select
srcip,
hostname,
sum(totalnum) as totalnum
from
(
###(select srcip, hostname, count(*) as totalnum from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and
virus is not null group by srcip, hostname order by totalnum desc)### union all
###(select srcip , ipstr(`dstip`) as hostname, count(*) as totalnum from $log-
virus where $filter and (eventtype is null or logver = 52) and nullifna(virus)
is not null group by srcip, hostname order by totalnum desc)###) t group by
srcip, hostname order by totalnum desc

Intrusion-in-Last- Threat intrusion timeline attack

7-Days

select
$flex_timescale as hodex,
count(*) as totalnum
from
$log
where
$filter
group by
hodex
order by
hodex

Virus-Time-Line Threat virus timeline virus

select
hodex,
sum(totalnum) as totalnum
from
(
###(select $flex_timescale as hodex, count(*) as totalnum from $log-traffic
where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null
and virus is not null group by hodex order by hodex desc)### union all ###
(select $flex_timescale as hodex, count(*) as totalnum from $log-virus where
$filter and (eventtype is null or logver = 52) and nullifna(virus) is not null
group by hodex order by hodex desc)###) t group by hodex order by hodex desc

Top-Spyware- Threat top spyware victims virus

Victims

70 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus,
count(*) as totalnum from $log where $filter group by user_src, virus order by
totalnum desc)### t where virus like 'Riskware%' group by user_src order by
totalnum desc

Top-Spyware-by- Threat top spyware by name virus

Name

select
virus,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus,
count(*) as totalnum from $log where $filter group by user_src, virus order by
totalnum desc)### t where virus like 'Riskware%' group by virus order by total-
num desc

Top-Spyware- Threat top spyware source traffic

Source

select
srcip,
hostname,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and virus like 'Riskware%'
group by
srcip,
hostname
order by
totalnum desc

Spyware-Time- Threat spyware timeline virus

Line

Dataset Reference 71
Fortinet Inc.
Dataset Reference List

Top-Adware- Threat top adware victims virus

Victims

select
user_src,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus,
count(*) as totalnum from $log where $filter group by user_src, virus order by
totalnum desc)### t where virus like 'Adware%' group by user_src order by total-
num desc

Top-Adware-by- Threat top adware by name virus

Name

Top-Adware- Threat top adware source traffic

Source

72 Dataset Reference
Fortinet Inc.
Dataset Reference List

Adware-Time- Threat adware timeline virus

Line

select
$flex_timescale as hodex,
count(*) as totalnum
from
$log
where
$filter
and virus like 'Adware%'
group by
hodex
order by
hodex desc

Intrusions- Threat intrusions timeline by attack

Timeline-By- severity
Severity

Dataset Reference 73
Fortinet Inc.
Dataset Reference List

Top-Intrusions- Threat top intrusions by types attack

By-Types

select
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and vuln_type is not null
group by
vuln_type
order by
totalnum desc

Critical-Severity- Threat critical severity intrusions attack

Intrusions

74 Dataset Reference
Fortinet Inc.
Dataset Reference List

High-Severity- Threat high severity intrusions attack

Intrusions

select
attack,
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and t1.severity = 'high'
group by
attack,
vuln_type
order by
totalnum desc

Medium- Threat medium severity attack

Severity- intrusions
Intrusions

Dataset Reference 75
Fortinet Inc.
Dataset Reference List

Low-Severity- Threat low severity intrusions attack

Intrusions

select
attack,
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and t1.severity = 'low'
group by
attack,
vuln_type
order by
totalnum desc

Top-Intrusion- Threat top intrusion victims attack

Victims

select
victim,
sum(cri_num) as critical,
sum(high_num) as high,
sum(med_num) as medium,
sum(cri_num + high_num + med_num) as totalnum
from
###(select dstip as victim, sum((case when severity='critical' then 1 else 0
end)) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num,
sum(case when severity='medium' then 1 else 0 end) as med_num from $log where
$filter and severity in ('critical', 'high', 'medium') group by victim)### t
group by victim order by totalnum desc

76 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Intrusion- Threat top intrusion sources attack

Sources

select
source,
sum(cri_num) as critical,
sum(high_num) as high,
sum(med_num) as medium,
sum(cri_num + high_num + med_num) as totalnum
from
###(select srcip as source, sum(case when severity='critical' then 1 else 0
end) as cri_num, sum(case when severity='high' then 1 else 0 end) as high_num,
sum(case when severity='medium' then 1 else 0 end) as med_num from $log where
$filter and severity in ('critical', 'high', 'medium') group by source)### t
group by source order by totalnum desc

Top-Blocked- Threat top blocked intrusions attack

Intrusions

select
attack,
(
case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high'
then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low'
then 'Low' when t1.severity = 'info' then 'Info' end
) as severity_name,
count(*) as totalnum,
vuln_type,
(
case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1
when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.-
severity = 'info' then 4 else 5 end
) as severity_number
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and nullifna(attack) is not null
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack,
t1.severity,
vuln_type
order by
severity_number,
totalnum desc

Dataset Reference 77
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top-Monitored- Threat top monitored intrusions attack

Intrusions

select
attack,
(
case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high'
then 'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low'
then 'Low' when t1.severity = 'info' then 'Info' end
) as severity_name,
count(*) as totalnum,
vuln_type,
(
case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1
when t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.-
severity = 'info' then 4 else 5 end
) as severity_number
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and nullifna(attack) is not null
and action not in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack,
t1.severity,
vuln_type
order by
severity_number,
totalnum desc

Attacks-Over- Threat attacks over HTTP attack

HTTP-HTTPs HTTPs

78 Dataset Reference
Fortinet Inc.
Dataset Reference List

default-AP- Default access point detection event

Detection- summary by status off-wire
Summary-by-
Status-OffWire

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'sup-
pressed' else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where
$filter and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='no' and logid_to_int(logid) in (43527, 43521, 43525) group by apstatus,
bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group
by ap_full_status order by totalnum desc

Dataset Reference 79
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default-AP- Default access point detection event

Detection- summary by status off-wire
Summary-by-
Status-OffWire_
table

default-AP- Default access point detection event

Detection- summary by status on-wire
Summary-by-
Status-OnWire

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'sup-
pressed' else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where
$filter and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525) group by apstatus,
bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group
by ap_full_status order by totalnum desc

80 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default-AP- Default access point detection event

Detection- summary by status on-wire
Summary-by-
Status-OnWire_
table

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'sup-
pressed' else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where
$filter and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525) group by apstatus,
bssid, ssid order by subtotal desc)### t group by apstatus, bssid, ssid) t group
by ap_full_status order by totalnum desc

default- Default managed access point event

Managed-AP- summary
Summary

select
(
case when (
action like '%join%'
and logid_to_int(logid)= 43522
) then 'Authorized' else 'Unauthorized' end
) as ap_status,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid)= 43522
group by
ap_status
order by
totalnum desc

default- Default managed access point event

Managed-AP- summary
Summary_table

Dataset Reference 81
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default- Default unclassified access event

Unclassified-AP- point summary
Summary

select
(
case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'oth-
ers' end
) as ap_status,
count(*) as totalnum
from
###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter
and apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525,
43527) group by onwire, ssid, bssid order by subtotal desc)### t group by ap_
status order by totalnum desc

default- Default unclassified access event

Unclassified-AP- point summary
Summary_table

82 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default-selected- Default selected access point event

AP-Details- details off-wire
OffWire

select
(
case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then
'accepted' when 3 then 'suppressed' else 'others' end
) as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
from_dtime(
min(dtime)
) as first_seen,
from_dtime(
max(dtime)
) as last_seen,
detectionmethod,
itime,
onwire as on_wire
from
$log
where
$filter
and apstatus is not null
and bssid is not null
and onwire = 'no'
and logid_to_int(logid)= 43521
group by
ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus

Dataset Reference 83
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default-selected- Default selected access point event

AP-Details- details on-wire
OnWire

select
(
case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then
'accepted' when 3 then 'suppressed' else 'others' end
) as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
from_dtime(
min(dtime)
) as first_seen,
from_dtime(
max(dtime)
) as last_seen,
detectionmethod,
itime,
onwire as on_wire
from
$log
where
$filter
and apstatus is not null
and bssid is not null
and onwire = 'yes'
and logid_to_int(logid)= 43521
group by
ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus

event-Wireless- Event wireless client details event

Client-Details

84 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

event-Wireless- Event wireless accepted off-wire event

Accepted-
Offwire

select
'accepted' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $fil-
ter and bssid is not null and logid_to_int(logid) in (43521, 43525) group by
devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest,
onwire, logid, apstatus order by last_seen desc)### t where apstatus=2 and
onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detec-
tionmethod, snclosest order by last_seen desc

event-Wireless- Event wireless accepted on-wire event

Accepted-
Onwire

86 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
'accepted' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525) group by devid, vd,
ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire,
apstatus order by last_seen desc)### t where apstatus=2 and onwire='yes' group
by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest
order by last_seen desc

event-Wireless- Event wireless rogue off-wire event

Rogue-Offwire

select
'rogue' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $fil-
ter and bssid is not null and logid in ('43521', '43525') group by devid, vd,
ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire,
logid, apstatus order by last_seen desc)### t where apstatus=1 and onwire='no'
group by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest order by last_seen desc

Dataset Reference 87
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

event-Wireless- Event wireless rogue on-wire event

Rogue-Onwire

select
'rogue' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525) group by devid, vd,
ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire,
apstatus order by last_seen desc)### t where apstatus=1 and onwire='yes' group
by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest
order by last_seen desc

event-Wireless- Event wireless suppressed off- event

Suppressed- wire
Offwire

88 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
'suppressed' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $fil-
ter and bssid is not null and logid_to_int(logid) in (43521, 43525) group by
devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest,
onwire, logid, apstatus order by last_seen desc)### t where apstatus=3 and
onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detec-
tionmethod, snclosest order by last_seen desc

event-Wireless- Event wireless suppressed on- event

Suppressed- wire
Onwire

select
'suppressed' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525) group by devid, vd,
ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire,
apstatus order by last_seen desc)### t where apstatus=3 and onwire='yes' group
by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest
order by last_seen desc

Dataset Reference 89
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

event-Wireless- Event wireless unclassified off- event

Unclassified- wire
Offwire

select
'unclassified' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $fil-
ter and bssid is not null and logid_to_int(logid) in (43521, 43525) group by
devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest,
onwire, logid, apstatus order by last_seen desc)### t where apstatus=0 and
onwire='no' group by devid, vd, ssid, bssid, manuf, channel, radioband, detec-
tionmethod, snclosest order by last_seen desc

event-Wireless- Event wireless unclassified on- event

Unclassified- wire
Onwire

90 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
'unclassified' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525) group by devid, vd,
ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire,
apstatus order by last_seen desc)### t where apstatus=0 and onwire='yes' group
by devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest
order by last_seen desc

default-Top- Default top IPsec VPN dial up event

IPSEC-Vpn-Dial- user by bandwidth usage
Up-User-By-
Bandwidth

Dataset Reference 91
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_
traffic_out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)
- min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max
(max_traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max
(max_traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, nullifna(`xauthuser`) as xauthuser_agg, nullifna
(`user`) as user_agg, remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out,
min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_
traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $fil-
ter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or
(tunnelip='0.0.0.0' and coalesce(logver, 0)!=52)) and action in ('tunnel-
stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null group by devid, vd,
xauthuser_agg, user_agg, remip, tunnelid order by tunnelid)### t group by devid,
vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0 order by band-
width desc

92 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

default-Top- Default top sources of SSL VPN event

Sources-Of-SSL- tunnels by bandwidth usage
VPN-Tunnels-
By-Bandwidth

select
remip as remote_ip,
sum(traffic_in + traffic_out) as bandwidth
from
(
select
devid,
vd,
remip,
tunnelid,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, tunnelid, max(coalesce(sentbyte, 0)) as
traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter
and subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats', 'tun-
nel-down') and remip is not null and tunnelid is not null group by devid, vd,
remip, tunnelid order by tunnelid)### t group by devid, vd, remip, tunnelid) tt
group by remote_ip having sum(traffic_in+traffic_out)>0 order by bandwidth desc

webfilter-Web- Webfilter web activity summary webfilter

Activity- by requests
Summary-By-
Requests

select
hodex,
sum(allowed_request) as allowed_request,
sum(blocked_request) as blocked_request
from
(
###(select $flex_timescale as hodex, sum(case when utmaction!='blocked' then
1 else 0 end) as allowed_request, sum(case when utmaction='blocked' then 1 else
0 end) as blocked_request from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-con-
tent', 'command-block', 'script-filter') group by hodex order by hodex)### union
all ###(select $flex_timescale as hodex, sum(case when action!='blocked' then 1
else 0 end) as allowed_request, sum(case when action='blocked' then 1 else 0
end) as blocked_request from $log-webfilter where $filter and (eventtype is null
or logver=52) group by hodex order by hodex)###) t group by hodex order by hodex

traffic-Browsing- Traffic browsing time summary traffic

Time-Summary

Dataset Reference 93
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
hodex,
cast(
sum(delta)/ 60.0 as decimal(18, 2)
) as browsetime
from
###(select $flex_timescale as hodex, sum($browse_time) as delta from $log
where $filter and logid_to_int(logid) not in (4, 7, 14) group by hodex having
sum($browse_time)>0 order by delta desc)### t group by hodex order by hodex

traffic-Browsing- Traffic browsing time summary traffic

Time-Summary- enhanced
Enhanced

select
hodex,
cast(
sum(delta)/ 60.0 as decimal(18, 2)
) as browsetime
from
###(select $flex_timescale as hodex, sum($browse_time2) as delta from $log
where $filter and logid_to_int(logid) not in (4, 7, 14) group by hodex having
sum($browse_time2)>0 order by delta desc)### t group by hodex order by hodex

webfilter-Top- Webfilter top web users by webfilter

Web-Users-By- blocked requests
Blocked-
Requests

select
user_src,
sum(requests) as requests
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, count(*) as requests from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-
word', 'web-content', 'command-block', 'script-filter') and coalesce(nullifna
(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) is not null and utmac-
tion='blocked' group by user_src order by requests desc)### union all ###(select
coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src, count(*) as requests
from $log-webfilter where $filter and (eventtype is null or logver = 52) and
coalesce(nullifna(ùser`), ipstr(`srcip`)) is not null and action='blocked'
group by user_src order by requests desc)###) t group by user_src order by
requests desc

webfilter-Top- Webfilter top web users by webfilter

Web-Users-By- allowed requests
Allowed-
Requests

94 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
sum(requests) as requests
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, count(*) as requests from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-
word', 'web-content', 'command-block', 'script-filter') and coalesce(nullifna
(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) is not null and utmac-
tion!='blocked' group by user_src order by requests desc)### union all ###
(select coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src, count(*) as
requests from $log-webfilter where $filter and (eventtype is null or logver =
52) and coalesce(nullifna(ùser`), ipstr(`srcip`)) is not null and action!-
!='blocked' group by user_src order by requests desc)###) t group by user_src
order by requests desc

traffic-Top-Web- Traffic top web users by traffic

Users-By- browsing time
Browsing-Time

select
user_src,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, sum
($browse_time) as delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0))
as traffic_out from $log where $filter group by user_src having sum($browse_
time)>0 order by delta desc)### t group by user_src order by browsetime desc

webfilter-Top- Webfilter top blocked web sites webfilter

Blocked-Web- by requests
Sites-By-
Requests

Dataset Reference 95
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
domain,
catdesc,
sum(requests) as requests
from
(
###(select hostname as domain, catdesc, count(*) as requests from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null and utmaction='blocked' group by domain, catdesc order
by requests desc)### union all ###(select hostname as domain, catdesc, count(*)
as requests from $log-webfilter where $filter and (eventtype is null or logver =
52) and hostname is not null and catdesc is not null and action='blocked' group
by domain, catdesc order by requests desc)###) t group by domain, catdesc order
by requests desc

webfilter-Top- Webfilter top allowed web sites webfilter

Allowed-Web- by requests
Sites-By-
Requests

select
domain,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(requests) as requests
from
(
###(select hostname as domain, catdesc, count(*) as requests from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null and utmaction!='blocked' group by domain, catdesc order
by requests desc)### union all ###(select hostname as domain, catdesc, count(*)
as requests from $log-webfilter where $filter and (eventtype is null or logver =
52) and hostname is not null and catdesc is not null and action!='blocked' group
by domain, catdesc order by requests desc)###) t group by domain order by
requests desc

webfilter-Top- Webfilter top video streaming webfilter

Video- websites by bandwidth usage
Streaming-
Websites-By-
Bandwidth

96 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
domain,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvd-
byte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and catdesc in ('Streaming Media and Download') group by domain having sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)###
union all ###(select coalesce(nullifna(root_domain(hostname)), 'other') as
domain, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum
(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out
from $log-webfilter where $filter and (eventtype is null or logver = 52) and cat-
desc in ('Streaming Media and Download') group by domain having sum(coalesce
(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)###) t group by
domain order by bandwidth desc

webfilter-Top- Webfilter top blocked web webfilter

Blocked-Web- categories
Categories

select
catdesc,
sum(requests) as requests
from
(
###(select catdesc, count(*) as requests from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-
word', 'web-content', 'command-block', 'script-filter') and catdesc is not null
and utmaction='blocked' group by catdesc order by requests desc)### union all
###(select catdesc, count(*) as requests from $log-webfilter where $filter and
(eventtype is null or logver = 52) and catdesc is not null and action='blocked'
group by catdesc order by requests desc)###) t group by catdesc order by
requests desc

webfilter-Top- Webfilter top allowed web webfilter

Allowed-Web- categories
Categories

Dataset Reference 97
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
catdesc,
sum(requests) as requests
from
(
###(select catdesc, count(*) as requests from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-
word', 'web-content', 'command-block', 'script-filter') and catdesc is not null
and utmaction!='blocked' group by catdesc order by requests desc)### union all
###(select catdesc, count(*) as requests from $log-webfilter where $filter and
(eventtype is null or logver = 52) and catdesc is not null and action!='blocked'
group by catdesc order by requests desc)###) t group by catdesc order by
requests desc

traffic-Top-50- Traffic top sites by browsing traffic

Sites-By- time
Browsing-Time

select
hostname,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select hostname, catdesc, sum($browse_time) as delta, sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as
traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter
and logid_to_int(logid) not in (4, 7, 14) and hostname is not null group by host-
name, catdesc having sum($browse_time)>0 order by delta desc)### t group by host-
name order by browsetime desc

traffic-Top-50- Traffic top sites by browsing traffic

Sites-By- time enhanced
Browsing-Time-
Enhanced

98 Dataset Reference
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
hostname,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select hostname, catdesc, sum($browse_time2) as delta, sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as
traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter
and logid_to_int(logid) not in (4, 7, 14) and hostname is not null group by host-
name, catdesc having sum($browse_time2)>0 order by delta desc)### t group by
hostname order by browsetime desc

traffic-Top-10- Traffic top category by browsing traffic

Categories-By- time
Browsing-Time

select
catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth
from
###(select catdesc, sum($browse_time) as delta, sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) as bandwidth from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) and catdesc is not null group by catdesc having sum
($browse_time)>0 order by delta desc)### t group by catdesc order by browsetime
desc

traffic-Top-10- Traffic top category by browsing traffic

Categories-By- time enhanced
Browsing-Time-
Enhanced

select
catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth
from
###(select catdesc, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) as bandwidth from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) and catdesc is not null group by catdesc having sum
($browse_time2)>0 order by delta desc)### t group by catdesc order by browsetime
desc

traffic-Top- Traffic top destination countries traffic

Destination- by browsing time
Countries-By-
Browsing-Time

Dataset Reference 99
Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time) as delta, sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in,
sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_
int(logid) not in (4, 7, 14) group by dstcountry having sum($browse_time)>0
order by delta desc)### t group by dstcountry order by browsetime desc

traffic-Top- Traffic top destination countries traffic

Destination- by browsing time enhanced
Countries-By-
Browsing-Time-
Enhanced

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in,
sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_
int(logid) not in (4, 7, 14) group by dstcountry having sum($browse_time2)>0
order by delta desc)### t group by dstcountry order by browsetime desc

webfilter-Top- Webfilter top search phrases webfilter

Search-Phrases

select
keyword,
count(*) as requests
from
$log
where
$filter
and keyword is not null
group by
keyword
order by
requests desc

Top-10-Users- Estimated browsing time traffic

Browsing-Time

100 Dataset Reference

Fortinet Inc.
Dataset Reference List

Top-10-Users- Estimated browsing time traffic

Browsing-Time- enhanced
Enhanced

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum($browse_time2) as browsetime
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum($browse_time2)> 0
order by
browsetime desc

Estimated- Estimated browsing time traffic

Browsing-Time

Dataset Reference 101

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Estimated- Estimated browsing time traffic

Browsing-Time- enhanced
Enhanced

wifi-Top-AP-By- Top access point by bandwidth traffic

Bandwidth usage

102 Dataset Reference

Fortinet Inc.
Dataset Reference List

wifi-Top-AP-By- Top access point by client traffic

Client

select
srcintf,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as
subtotal from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
(srcssid is not null or dstssid is not null) and srcmac is not null group by
srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)###
t group by srcintf order by totalnum desc

wifi-Top-SSID- Top SSIDs by bandwidth usage traffic

By-Bandwidth

Dataset Reference 103

Fortinet Inc.
Dataset Reference List

wifi-Top-SSID- Top SSIDs by client traffic

By-Client

select
srcssid,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as
subtotal from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
(srcssid is not null or dstssid is not null) and srcmac is not null group by
srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)###
t where srcssid is not null group by srcssid order by totalnum desc

wifi-Top-App-By- Top WiFi applications by traffic

Bandwidth bandwidth usage

104 Dataset Reference

Fortinet Inc.
Dataset Reference List

wifi-Top-Client- Top WiFi client by bandwidth traffic

By-Bandwidth usage

Dataset Reference 105

Fortinet Inc.
Dataset Reference List

wifi-Top-OS-By- Top WiFi os by bandwidth traffic

Bandwidth usage

106 Dataset Reference

Fortinet Inc.
Dataset Reference List

wifi-Top-OS-By- Top WiFi os by WiFi client traffic

WiFi-Client

select
(
coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
) as os,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as
subtotal from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
(srcssid is not null or dstssid is not null) and srcmac is not null group by
srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)###
t group by os order by totalnum desc

wifi-Top-Device- Top WiFi device by bandwidth traffic

By-Bandwidth usage

Dataset Reference 107

Fortinet Inc.
Dataset Reference List

wifi-Top-Device- Top WiFi device by client traffic

By-Client

select
devtype,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as
subtotal from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
(srcssid is not null or dstssid is not null) and srcmac is not null group by
srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)###
t where devtype is not null group by devtype order by totalnum desc

wifi-Overall- WiFi overall traffic traffic

Traffic

108 Dataset Reference

Fortinet Inc.
Dataset Reference List

wifi-Num- WiFi num distinct client traffic

Distinct-Client

select
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as
subtotal from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
(srcssid is not null or dstssid is not null) and srcmac is not null group by
srcintf, srcssid, osname, osversion, devtype, srcmac order by subtotal desc)###
t

Top30-Subnets- Top subnets by application traffic

by-Bandwidth- bandwidth
and-Sessions

Dataset Reference 109

Fortinet Inc.
Dataset Reference List

Top30-Subnets- Top applications by bandwidth traffic

by-Application-
Bandwidth

select
ip_subnet(`srcip`) as subnet,
app_group_name(app) as app_group,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
subnet,
app_group
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

110 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Top30-Subnets- Top applications by sessions traffic

by-Application-
Sessions

select
ip_subnet(`srcip`) as subnet,
app_group_name(app) as app_group,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
subnet,
app_group
order by
sessions desc

Top30-Subnets- Top websites and web category traffic

by-Website- by bandwidth
Bandwidth

select
subnet,
website,
sum(bandwidth) as bandwidth
from
(
###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce
(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $fil-
ter and hostname is not null and logid_to_int(logid) not in (4, 7, 14) and
utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter') group by subnet, website order by bandwidth desc)### union all
###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-webfilter where $filter
and hostname is not null and (eventtype is null or logver=52) group by subnet,
website order by bandwidth desc)###) t group by subnet, website order by band-
width desc

Top30-Subnets- Top websites and web category traffic

by-Website-Hits by sessions

Dataset Reference 111

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
subnet,
website,
sum(hits) as hits
from
(
###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as
hits from $log-traffic where $filter and hostname is not null and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-con-
tent', 'command-block', 'script-filter') group by subnet, website order by hits
desc)### union all ###(select ip_subnet(`srcip`) as subnet, hostname as website,
count(*) as hits from $log-webfilter where $filter and hostname is not null and
(eventtype is null or logver=52) group by subnet, website order by hits desc)
###) t group by subnet, website order by hits desc

Top30-Subnets- Top users by bandwidth traffic

with-Top10-
User-by-
Bandwidth

select
ip_subnet(`srcip`) as subnet,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcip is not null
group by
subnet,
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Top30-Subnets- Top users by sessions traffic

with-Top10-
User-by-
Sessions

112 Dataset Reference

Fortinet Inc.
Dataset Reference List

app-Top-20- Top category and applications traffic

Category-and- by bandwidth usage
Applications-by-
Bandwidth

select
appcat,
app,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
appcat,
app
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

app-Top-20- Top category and applications traffic

Category-and- by session
Applications-by-
Session

Dataset Reference 113

Fortinet Inc.
Dataset Reference List

app-Top-500- Top allowed applications by traffic

Allowed- bandwidth usage
Applications-by-
Bandwidth

select
from_itime(itime) as timestamp,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
appcat,
app,
coalesce(
root_domain(hostname),
ipstr(dstip)
) as destination,
sum(
coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and action in ('accept', 'close', 'timeout')
group by
timestamp,
user_src,
appcat,
app,
destination
order by
bandwidth desc

114 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

app-Top-500- Top blocked applications by traffic

Blocked- session
Applications-by-
Session

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
appcat,
app,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
user_src,
appcat,
app
order by
sessions desc

web-Detailed- Web detailed website browsing traffic

Website- log
Browsing-Log

Dataset Reference 115

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
from_dtime(dtime) as timestamp,
catdesc,
hostname as website,
action as status,
sum(bandwidth) as bandwidth
from
(
###(select dtime, catdesc, hostname, utmaction as action, sum(coalesce(sent-
byte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and
hostname is not null and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
group by dtime, catdesc, hostname, utmaction order by dtime desc)### union all
###(select dtime, catdesc, hostname, action, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-webfilter where $filter and hostname is
not null and (eventtype is null or logver=52) group by dtime, catdesc, hostname,
action order by dtime desc)###) t group by dtime, catdesc, website, status order
by dtime desc

web-Hourly- Web hourly category and traffic

Category-and- website hits action
Website-Hits-
Action

select
hod,
website,
sum(hits) as hits
from
(
###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`,
'Unknown') || ')') as website, count(*) as hits from $log-traffic where $filter
and hostname is not null and logid_to_int(logid) not in (4, 7, 14) and utmevent
in ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
group by hod, website order by hod, hits desc)### union all ###(select $hour_of_
day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as web-
site , count(*) as hits from $log-webfilter where $filter and hostname is not
null and (eventtype is null or logver=52) group by hod, website order by hod,
hits desc)###) t group by hod, website order by hod, hits desc

web-Top-20- Web top category and websites traffic

Category-and- by bandwidth usage
Websites-by-
Bandwidth

116 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
website,
catdesc,
sum(bandwidth) as bandwidth
from
(
###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not
null and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') group by web-
site, catdesc order by bandwidth desc)### union all ###(select hostname as web-
site, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth
from $log-webfilter where $filter and hostname is not null and (eventtype is
null or logver=52) group by website, catdesc order by bandwidth desc)###) t
group by website, catdesc order by bandwidth desc

web-Top-20- Web top category and websites traffic

Category-and- by session
Websites-by-
Session

select
website,
catdesc,
sum(hits) as hits
from
(
###(select hostname as website, catdesc, count(*) as hits from $log-traffic
where $filter and hostname is not null and logid_to_int(logid) not in (4, 7, 14)
and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter') group by website, catdesc order by hits desc)### union all ###
(select hostname as website, catdesc, count(*) as hits from $log-webfilter where
$filter and hostname is not null and (eventtype is null or logver=52) group by
website, catdesc order by hits desc)###) t group by website, catdesc order by
hits desc

web-Top-500- Web top website sessions by traffic

Website- bandwidth usage
Sessions-by-
Bandwidth

Dataset Reference 117

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
from_dtime(dtime) as timestamp,
user_src,
website,
catdesc,
cast(
sum(dura)/ 60 as decimal(18, 2)
) as dura,
sum(bandwidth) as bandwidth
from
###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`sr-
cip`)) as user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as
dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter and hostname is not null and logid_to_int(logid) not in (4, 7, 14)
and action in ('accept','close','timeout') group by dtime, user_src, website,
catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by band-
width desc)### t group by dtime, user_src, website, catdesc order by bandwidth
desc

web-Top-500- Web top user visted websites by traffic

User-Visted- bandwidth usage
Websites-by-
Bandwidth

select
website,
catdesc,
sum(bandwidth) as bandwidth
from
(
###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname is not
null and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') group by host-
name, catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by
bandwidth desc)### union all ###(select hostname as website, catdesc, sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-webfilter
where $filter and hostname is not null and (eventtype is null or logver=52)
group by hostname, catdesc order by bandwidth desc)###) t group by website, cat-
desc order by bandwidth desc

web-Top-500- Web top user visted websites by traffic

User-Visted- session
Websites-by-
Session

118 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
website,
catdesc,
sum(sessions) as sessions
from
(
###(select hostname as website, catdesc, count(*) as sessions from $log-
traffic where $filter and hostname is not null and logid_to_int(logid) not in
(4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-
block', 'script-filter') group by hostname, catdesc order by sessions desc)###
union all ###(select hostname as website, catdesc, count(*) as sessions from
$log-webfilter where $filter and hostname is not null and (eventtype is null or
logver=52) group by hostname, catdesc order by sessions desc)###) t group by web-
site, catdesc order by sessions desc

fct-Installed- Installed Feature Summary fct-event

Feature-
Summary

select
clientfeature,
count(*) as totalnum
from
$log
where
$filter
and clientfeature is not null
group by
clientfeature
order by
totalnum desc

fct-Device-by- Device by OS fct-event

Operating-
System

select
os,
count(*) as totalnum
from
$log
where
$filter
and os is not null
group by
os
order by
totalnum desc

Dataset Reference 119

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

fct-Installed- FortiClient Version fct-event

FortiClient-
Version

select
fctver_trim(fctver) as fctver_short,
count(*) as totalnum
from
$log
where
$filter
and fctver is not null
group by
fctver_short
order by
totalnum desc

fct-Endpoint- Endpoint Profile Deployment fct-event

Profile-
Deployment

select
coalesce(
nullifna(usingpolicy),
'Unknown'
) as profile,
count(*) as totalnum
from
$log
where
$filter
group by
profile
order by
totalnum desc

fct-Client- Client Summary fct-event

Summary

120 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
devicehostname,
deviceip,
os,
profile,
hostuser,
fctver_short
from
###(select devicehostname, deviceip, os, coalesce(nullifna(usingpolicy),
'Unknown') as profile, coalesce(nullifna(`user`), 'Unknown') as hostuser,
fctver_trim(fctver) as fctver_short from $log where $filter and os is not null
group by devicehostname, deviceip, os, profile, hostuser, fctver_short)### t
group by devicehostname, deviceip, os, profile, hostuser, fctver_short

fct-Total- Total Threats Found fct-traffic

Threats-Found

select
coalesce(
nullifna(utmevent),
'Unknown'
) as utmevent,
count(*) as totalnum
from
$log
where
$filter
group by
utmevent
order by
totalnum desc

fct-Top10-AV- Top AV Threats Detected fct-traffic

Threats-
Detected

select
srcname,
count(*) as totalnum
from
$log
where
$filter
and srcname is not null
and lower(utmevent)= 'antivirus'
group by
srcname
order by
totalnum desc

Dataset Reference 121

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

fct-Top10- Top Infected Devices with fct-traffic

Infected- Botnet
Devices-with-
Botnet

select
hostname,
count(*) as totalnum
from
$log
where
$filter
and hostname is not null
and lower(utmevent) in ('webfilter', 'appfirewall')
and lower(threat) like '%botnet%'
group by
hostname
order by
totalnum desc

fct-Top10- Top Infected Devices with Virus fct-traffic

Infected- Malware
Devices-with-
Virus-Malware

select
hostname,
count(*) as totalnum
from
$log
where
$filter
and hostname is not null
and lower(utmevent) in ('antivirus', 'antimalware')
group by
hostname
order by
totalnum desc

fct-All-Antivirus- All Antivirus and Antimalware fct-traffic

Antimalware- Detections
Detections

122 Dataset Reference

Fortinet Inc.
Dataset Reference List

fct-Web-Filter- Web Filter Violations fct-traffic

Violations

select
remotename,
hostname,
coalesce(
nullifna(`user`),
'Unknown'
) as hostuser,
utmaction,
count(*) as totalnum
from
$log
where
$filter
and lower(utmevent)= 'webfilter'
group by
remotename,
hostname,
hostuser,
utmaction

fct-Application- Application Firewall fct-traffic

Firewall

Dataset Reference 123

Fortinet Inc.
Dataset Reference List

fct-Errors-and- Errors and Alerts fct-event

Alerts

select
msg,
devicehostname,
coalesce(
nullifna(`user`),
'Unknown'
) as hostuser
from
$log
where
$filter
and level in ('error', 'alert')
group by
msg,
devicehostname,
hostuser

fct-Threats-by- Threats by Top Devices fct-traffic

Top-Devices

124 Dataset Reference

Fortinet Inc.
Dataset Reference List

os-Detect-OS- Detected operation system traffic

Count count

select
(
coalesce(osname, 'Unknown')
) as os,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
os
order by
totalnum desc

drilldown-Top- Drilldown top applications by traffic

App-By- session count
Sessions-Table

select
appid,
app,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and nullifna(app) is not null group by appid, app
order by sessions desc

Dataset Reference 125

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drilldown-Top- Drilldown top applications by traffic

App-By- session count
Sessions-Bar

drilldown-Top- Drilldown top applications by traffic

App-By- bandwidth usage
Bandwidth-Table

select
appid,
app,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and nullifna(app) is not null group by appid, app
having sum(bandwidth)>0 order by bandwidth desc

drilldown-Top- Drilldown top applications by traffic

App-By- bandwidth usage
Bandwidth-Bar

126 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drilldown-Top- Drilldown top destination by traffic

Destination-By- session count
Sessions-Table

select
dstip,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and dstip is not null group by dstip order by ses-
sions desc

drilldown-Top- Drilldown top destination by traffic

Destination-By- bandwidth usage
Bandwidth-Table

select
dstip,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and dstip is not null group by dstip having sum
(bandwidth)>0 order by bandwidth desc

drilldown-Top- Drilldown top user by session traffic

User-By- count
Sessions-Table

Dataset Reference 127

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
user_src,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and user_src is not null group by user_src order by
sessions desc

drilldown-Top- Drilldown top user by session traffic

User-By- count
Sessions-Bar

drilldown-Top- Drilldown top user by bandwidth traffic

User-By- usage
Bandwidth-Table

select
user_src,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as ses-
sions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log
where $filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by
appid, app, user_src, dstip, srcintf, dstintf, policyid order by sessions desc)
### t where $filter-var-only and user_src is not null group by user_src having
sum(bandwidth)>0 order by bandwidth desc

drilldown-Top- Drilldown top user by bandwidth traffic

User-By- usage
Bandwidth-Bar

128 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drilldown-Top- Drilldown top web user by visit traffic

Web-User-By-
Visit-Table

select
user_src,
sum(requests) as visits
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, hostname, count(*) as requests from $log-traffic where $fil-
ter-exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver = 52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-var-only and user_src is
not null group by user_src order by visits desc

drilldown-Top- Drilldown top web user by visit traffic

Web-User-By-
Visit-Bar

Dataset Reference 129

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drilldown-Top- Drilldown top website by traffic

Website-By- request
Request-Table

select
hostname,
sum(requests) as visits
from
(
###(select coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`sr-
cip`)) as user_src, hostname, count(*) as requests from $log-traffic where $fil-
ter-exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver = 52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-var-only and hostname is
not null group by hostname order by visits desc

drilldown-Top- Drilldown top website by traffic

Website-By- request
Request-Bar

130 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

drilldown-Top- Drilldown top email sender by traffic

Email-Sender- volume
By-Volume

select
sender,
sum(bandwidth) as volume
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-email-
filter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-var-only and sender is not null
group by sender having sum(bandwidth)>0 order by volume desc

drilldown-Top- Drilldown top email send traffic

Email-Send- recipient by volume
Recipient-By-
Volume

Dataset Reference 131

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
recipient,
sum(bandwidth) as volume
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-email-
filter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-var-only and recipient is not
null group by recipient having sum(bandwidth)>0 order by volume desc

drilldown-Top- Drilldown top email sender by traffic

Email-Sender- count
By-Count

select
sender,
sum(requests) as requests
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-email-
filter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-var-only and sender is not null
group by sender order by requests desc

drilldown-Top- Drilldown top email send traffic

Email-Send- recipient by count
Recipient-By-
Count

132 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
recipient,
sum(requests) as requests
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-email-
filter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-var-only and recipient is not
null group by recipient order by requests desc

drilldown-Top- Drilldown top email receiver by traffic

Email-Recipient- volume
By-Volume

select
recipient,
sum(bandwidth) as volume
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recip-
ient, sender order by requests desc)### union all ###(select `to` as recipient,
`from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and ser-
vice in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`,
`from` order by requests desc)###) t where $filter-var-only and recipient is not
null group by recipient having sum(bandwidth)>0 order by volume desc

drilldown-Top- Drilldown top email receive traffic

Email-Receive- sender by volume
Sender-By-
Volume

Dataset Reference 133

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
sender,
sum(bandwidth) as volume
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recip-
ient, sender order by requests desc)### union all ###(select `to` as recipient,
`from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and ser-
vice in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`,
`from` order by requests desc)###) t where $filter-var-only and sender is not
null group by sender having sum(bandwidth)>0 order by volume desc

drilldown-Top- Drilldown top email receiver by traffic

Email-Recipient- count
By-Count

select
recipient,
sum(requests) as requests
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recip-
ient, sender order by requests desc)### union all ###(select `to` as recipient,
`from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and ser-
vice in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`,
`from` order by requests desc)###) t where $filter-var-only and recipient is not
null group by recipient order by requests desc

drilldown-Top- Drilldown top email receive traffic

Email-Receive- sender by count
Sender-By-
Count

134 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
sender,
sum(requests) as requests
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by recip-
ient, sender order by requests desc)### union all ###(select `to` as recipient,
`from` as sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) as bandwidth from $log-emailfilter where $filter-exclude-var and ser-
vice in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp') and eventtype is null group by `to`,
`from` order by requests desc)###) t where $filter-var-only and sender is not
null group by sender order by requests desc

drilldown-Top- Drilldown top attack dest attack

Attack-
Destination

select
dstip,
sum(totalnum) as totalnum
from
###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-
var group by srcip, dstip order by totalnum desc)### t where $filter-var-only
and dstip is not null group by dstip order by totalnum desc

drilldown-Top- Drilldown top attack source attack

Attack-Source

select
srcip,
sum(totalnum) as totalnum
from
###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-
var group by srcip, dstip order by totalnum desc)### t where $filter-var-only
and srcip is not null group by srcip order by totalnum desc

drilldown-Top- Drilldown top attack list attack

Attack-List

Dataset Reference 135

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
from_itime(itime) as timestamp,
attack,
srcip,
dstip
from
###(select itime, attack, srcip, dstip from $log where $filter-exclude-var
order by itime desc)### t where $filter-var-only order by itime desc

drilldown-Top- UTM top virus traffic

Virus

drilldown-Virus- Drilldown virus detail traffic

Detail

select
from_itime(itime) as timestamp,
virus,
user_src,
dstip,
hostname,
recipient
from
(
###(select itime, virus, coalesce(nullifna(ùser`), nullifna(ùnauthuser`),
ipstr(`srcip`)) as user_src, dstip, hostname, recipient from $log-traffic where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent is
not null and virus is not null order by itime desc)### union all ###(select
itime, virus, coalesce(nullifna(ùser`), ipstr(`srcip`)) as user_src, dstip,
cast(' ' as char) as hostname, cast(' ' as char) as recipient from $log-virus
where $filter-exclude-var and (eventtype is null or logver = 52) and nullifna
(virus) is not null order by itime desc)###) t where $filter-var-only order by
itime desc

136 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

user-drilldown- User drilldown top blocked web webfilter

Top-Blocked- sites by requests
Web-Sites-By-
Requests

select
hostname,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname,
action, count(*) as requests from $log where $filter-exclude-var and hostname is
not null group by user_src, hostname, action order by requests desc)### t where
$filter-var-only and action='blocked' group by hostname order by requests desc

user-drilldown- User drilldown top allowed web webfilter

Top-Allowed- sites by requests
Web-Sites-By-
Requests

select
hostname,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname,
action, count(*) as requests from $log where $filter-exclude-var and hostname is
not null group by user_src, hostname, action order by requests desc)### t where
$filter-var-only and action!='blocked' group by hostname order by requests desc

user-drilldown- User drilldown top blocked web webfilter

Top-Blocked- categories
Web-Categories

select
catdesc,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc,
action, count(*) as requests from $log where $filter-exclude-var and catdesc is
not null group by user_src, catdesc, action order by requests desc)### t where
$filter-var-only and action='blocked' group by catdesc order by requests desc

user-drilldown- User drilldown top allowed web webfilter

Top-Allowed- categories
Web-Categories

Dataset Reference 137

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

user-drilldown- User drilldown top attacks by attack

Top-Attacks name

select
attack,
sum(attack_count) as attack_count
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack,
(case when severity in ('critical', 'high') then 1 else 0 end) as high_severity,
count(*) as attack_count from $log where $filter-exclude-var and nullifna
(attack) is not null group by user_src, attack, high_severity order by attack_
count desc)### t where $filter-var-only group by attack order by attack_count
desc

user-drilldown- User drilldown top attacks high attack

Top-Attacks- severity
High-Severity

user-drilldown- User drilldown top virus virus

Top-Virus-By-
Name

select
virus,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus,
count(*) as totalnum from $log where $filter-exclude-var and nullifna(virus) is
not null group by user_src, virus order by totalnum desc)### t where $filter-
var-only group by virus order by totalnum desc

138 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

user-drilldown- User drilldown top virus virus

Top-Virus- receivers over email
Receivers-Over-
Email

select
receiver,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `to` as
receiver, count(*) as totalnum from $log where $filter-exclude-var and sub-
type='infected' and (service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps',
'SMTPS', '465/tcp') or service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP',
'143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) and nul-
lifna(virus) is not null group by user_src, receiver order by totalnum desc)###
t where $filter-var-only group by receiver order by totalnum desc

user-drilldown- User drilldown count spam emailfilter

Count-Spam- activity by hour of day
Activity-by-Hour-
of-Day

select
hourstamp,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, $hour_of_
day as hourstamp, count(*) as totalnum from $log where $filter-exclude-var and
`to` is not null and action in ('detected', 'blocked') group by user_src,
hourstamp order by hourstamp)### t where $filter-var-only group by hourstamp
order by hourstamp

user-drilldown- User drilldown top spam emailfilter

Top-Spam- sources
Sources

select
mf_sender,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as
mf_sender, count(*) as totalnum from $log where $filter-exclude-var and `from`
is not null and action in ('detected', 'blocked') group by user_src, mf_sender
order by totalnum desc)### t where $filter-var-only group by mf_sender order by
totalnum desc

event-Usage- Event usage CPU event

CPU

Dataset Reference 139

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
hourstamp,
cast(
sum(cpu_usage)/ sum(num) as decimal(6, 2)
) as cpu_avg_usage
from
###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, count(*) as num
from $log where $filter and subtype='system' and action='perf-stats' group by
hourstamp)### t group by hourstamp order by hourstamp

event-Usage- Event usage memory event

Memory

select
hourstamp,
cast(
sum(mem_usage)/ sum(num) as decimal(6, 2)
) as mem_avg_usage
from
###(select $hour_of_day as hourstamp, sum(mem) as mem_usage, count(*) as num
from $log where $filter and subtype='system' and action='perf-stats' group by
hourstamp)### t group by hourstamp order by hourstamp

event-Usage- Event usage sessions event

Sessions

select
hourstamp,
cast(
sum(sess_usage)/ sum(num) as decimal(10, 2)
) as sess_avg_usage
from
###(select $hour_of_day as hourstamp, sum(totalsession) as sess_usage, count
(*) as num from $log where $filter and subtype='system' and action='perf-stats'
group by hourstamp)### t group by hourstamp order by hourstamp

event-Usage- Event usage CPU sessions event

CPU-Sessions

140 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
hourstamp,
cast(
sum(sess_usage)/ sum(num) as decimal(10, 2)
) as sess_avg_usage,
cast(
sum(cpu_usage)/ sum(num) as decimal(6, 2)
) as cpu_avg_usage
from
###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, sum(totalsession)
as sess_usage, count(*) as num from $log where $filter and subtype='system' and
action='perf-stats' group by hourstamp)### t group by hourstamp order by
hourstamp

App-Risk-Top- Top users by bandwidth usage traffic

Users-By-
Bandwidth

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
srcip,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcip is not null
group by
user_src,
srcip
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Dataset Reference 141

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-Top- Application risk top user source traffic

User-Source-By- by session count
Sessions

select
srcip,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcip is not null
group by
srcip,
user_src
order by
sessions desc

App-Risk-Top- Application risk reputation top traffic

Users-By- users by scores
Reputation-
Scores-Bar

142 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-Top- Application risk reputation top traffic

Devices-By- devices by scores
Reputation-
Scores

App-Risk- Application risk application traffic

Application- usage by category
Usage-By-
Category-With-
Pie

Dataset Reference 143

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-App- Application risk application traffic

Usage-by- usage by category
Category

Top-20- Webfilter categories by webfilter

Categories-By- bandwidth usage
Bandwidth

select
catdesc,
sum(bandwidth) as bandwidth
from
(
###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as band-
width from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14)
and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter') and catdesc is not null group by catdesc order by bandwidth
desc)### union all ###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvd-
byte, 0)) as bandwidth from $log-webfilter where $filter and (eventtype is null
or logver = 52) and catdesc is not null group by catdesc order by bandwidth
desc)###) t group by catdesc order by bandwidth desc

App-Risk-Key- Application risk application traffic

Applications- activity
Crossing-The-
Network

144 Dataset Reference

Fortinet Inc.
Dataset Reference List

App-Risk- Application risk applications traffic

Applications- running over HTTP
Running-Over-
HTTP

select
app_group_name(app) as app_group,
service,
count(*) as sessions,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
and service in (
'80/tcp', '443/tcp', 'HTTP', 'HTTPS',
'http', 'https'
)
group by
app_group,
service
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Dataset Reference 145

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-Top- Application risk web browsing traffic

Web-Sites- summary category
Visited-By-
Network-Users-
Pie-Cha

select
catdesc,
sum(num_sess) as num_sess,
sum(bandwidth) as bandwidth
from
(
###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-con-
tent', 'command-block', 'script-filter') and catdesc is not null group by cat-
desc order by num_sess desc)### union all ###(select catdesc, count(*) as num_
sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-
webfilter where $filter and (eventtype is null or logver = 52) and catdesc is
not null group by catdesc order by num_sess desc)###) t group by catdesc order
by num_sess desc

App-Risk-Top- Application risk web browsing traffic

Web-Sites- summary category
Visited-By-
Network-Users

App-Risk-Web- Application risk web browsing traffic

Browsing- activity hostname category
Hostname-
Category

146 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
domain,
catdesc,
sum(visits) as visits
from
(
###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc,
count(*) as visits from $log-traffic where $filter and logid_to_int(logid) not
in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'com-
mand-block', 'script-filter') and catdesc is not null group by domain, catdesc
order by visits desc)### union all ###(select coalesce(nullifna(hostname), ipstr
(`dstip`)) as domain, catdesc, count(*) as visits from $log-webfilter where $fil-
ter and (eventtype is null or logver = 52) and catdesc is not null group by
domain, catdesc order by visits desc)###) t group by domain, catdesc order by
visits desc

Top-Destination- Traffic top destination countries traffic

Countries-By- by browsing time
Browsing-Time

Top-Destination- Traffic top destination countries traffic

Countries-By- by browsing time enhanced
Browsing-Time-
Enhanced

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)
+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in,
sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_
int(logid) not in (4, 7, 14) group by dstcountry having sum($browse_time2)>0
order by delta desc)### t group by dstcountry order by browsetime desc

Dataset Reference 147

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-Traffic- Traffic top domains by browsing traffic

Top-Hostnames- time
By-Browsing-
Time

select
hostname,
sum($browse_time) as browsetime,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and hostname is not null
group by
hostname
having
sum($browse_time)> 0
order by
browsetime desc

App-Risk-Traffic- Traffic top domains by browsing traffic

Top-Hostnames- time enhanced
By-Browsing-
Time-Enhanced

148 Dataset Reference

Fortinet Inc.
Dataset Reference List

App-Risk-Top- Application risk top threat attack

Threat-Vectors- vectors
Crossing-The-
Network

select
severity,
count(*) as totalnum
from
$log
where
$filter
group by
severity
order by
totalnum desc

App-Risk-Top- Application risk top critical attack

Critical-Threat- threat vectors
Vectors-
Crossing-The-
Network

Dataset Reference 149

Fortinet Inc.
Dataset Reference List

App-Risk-Top- Application risk top high threat attack

High-Threat- vectors
Vectors-
Crossing-The-
Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'high'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc

App-Risk-Top- Application risk top medium attack

Medium-Threat- threat vectors
Vectors-
Crossing-The-
Network

150 Dataset Reference

Fortinet Inc.
Dataset Reference List

App-Risk-Top- Application risk top low threat attack

Low-Threat- vectors
Vectors-
Crossing-The-
Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'low'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc

App-Risk-Top- Application risk top info threat attack

Info-Threat- vectors
Vectors-
Crossing-The-
Network

Dataset Reference 151

Fortinet Inc.
Dataset Reference List

App-Risk-Top- UTM top virus traffic

Virus-By-Name

App-Risk-Top- UTM top virus user traffic

Virus-Victim

152 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

App-Risk-Data- Application risk DLP UTM event traffic

Loss-Prevention-
Type-Events

select
utmsubtype,
sum(number) as number
from
(
###(select utmsubtype, count(*) as number from $log-traffic where $filter
and logid_to_int(logid) not in (4, 7, 14) and utmevent='dlp' and utmsubtype is
not null group by utmsubtype order by number desc)### union all ###(select sub-
type as utmsubtype, count(*) as number from $log-dlp where $filter and subtype
is not null group by subtype order by number desc)###) t group by utmsubtype
order by number desc

App-Risk- Application risk vulnerability netscan

Vulnerability- discovered
Discovered

Dataset Reference 153

Fortinet Inc.
Dataset Reference List

App-Risk- Application risk virus discovered traffic

Malware-
Discovered

select
dom,
sum(totalnum) as totalnum
from
(
###(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log-traffic
where $filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null
and virus is not null group by dom order by totalnum desc)### union all ###
(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log-virus where $filter
and nullifna(virus) is not null and (eventtype is null or logver = 52) group by
dom order by totalnum desc)###) t group by dom order by totalnum desc

App-Risk- Application risk breakdown of traffic

Breakdown-Of- risk applications
Risk-
Applications

154 Dataset Reference

Fortinet Inc.
Dataset Reference List

App-Risk- Application risk number of traffic

Number-Of- applications by risk behavior
Applications-By-
Risk-Behavior

select
d_risk,
coalesce(
d_behavior, 'Other Applications'
) as f_behavior,
count(*) as number
from
$log t1
inner join app_mdata t2 on t1.appid = t2.id
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
d_risk,
d_behavior
order by
d_risk desc,
number desc

App-Risk-High- Application risk high risk traffic

Risk-Application application

Dataset Reference 155

Fortinet Inc.
Dataset Reference List

Apprisk-Ctrl- Severe and high risk traffic

Severe-High- applications
Risk-Application

select
appcat,
count(distinct app) as total_num
from
###(select appcat, app from $log where $filter and app is not null and appcat
is not null and logid_to_int(logid) not in (4, 7, 14) and apprisk in ('crit-
ical', 'high') group by appcat, app)### t group by appcat order by total_num
desc

Apprisk-Ctrl- Threat Prevention traffic

Threats-
Prevention

156 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
threat_name,
sum(total_num) as total_num
from
(
###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, count(*)
as total_num from $log-app-ctrl where $filter and lower(appcat)='botnet')###
union all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name,
count(*) as total_num from $log-virus where $filter and nullifna(virus) is not
null)### union all ###(select cast('Malicious & Phishing Sites' as char(32)) as
threat_name, count(*) as total_num from $log-webfilter where $filter and cat in
(26, 61))### union all ###(select cast('Critical & High Intrusion Attacks' as
char(32)) as threat_name, count(*) as total_num from $log-attack where $filter
and severity in ('critical', 'high'))###) t group by threat_name having sum
(total_num) > 0 order by total_num desc

Apprisk-Ctrl- Application vulnerabilities attack

Application- discovered
Vulnerability

select
attack,
ref,
vuln_type,
severity_number,
count(distinct dstip) as victims,
count(distinct srcip) as sources,
sum(totalnum) as totalnum
from
###(select attack, ref, vuln_type, (case when t1.severity='critical' then 5
when t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.-
severity='low' then 2 when t1.severity='info' then 1 else 0 end) as severity_num-
ber, dstip, srcip, count(*) as totalnum from $log t1 left join ips_mdata t2 on
t1.attack=t2.name where $filter and nullifna(attack) is not null and t1.severity
is not null group by attack, ref, vuln_type, t1.severity, dstip, srcip )### t
group by attack, ref, vuln_type, severity_number order by severity_number desc,
totalnum desc

Apprisk-Ctrl- Severe and high risk traffic

Breakdown-Of- applications
High-Risk-
Application

Dataset Reference 157

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Apprisk-Ctrl-Top- Application risk high risk traffic

20-High-Risk- application
Application

select
d_risk,
count(distinct f_user) as users,
id,
name,
app_cat,
technology,
sum(bandwidth) as bandwidth,
sum(sessions) as sessions
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when
'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk,
coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as
f_user, t2.id , t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log t1 inner join
app_mdata t2 on t1.appid=t2.id where $filter and apprisk in ('critical', 'high')
and logid_to_int(logid) not in (4, 7, 14) group by f_user, t2.id , t2.name,
t2.app_cat, t2.technology, apprisk)### t group by id, d_risk, name, app_cat,
technology order by d_risk desc, sessions desc

Apprisk-Ctrl- Application Behavioral traffic

High-Risk- Characteristics
Application-
Behavioral

158 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
behavior,
round(
sum(total_num)* 100 / sum(
sum(total_num)
) over (),
2
) as percentage
from
###(select (case when lower(appcat)='botnet' then 'malicious' when lower
(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('stor-
age.backup', 'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p'
then 'peer-to-peer' when lower(appcat)='proxy' then 'proxy' end) as behavior,
count(*) as total_num from $log where $filter and lower(appcat) in ('botnet',
'remote.access', 'storage.backup', 'video/audio', 'p2p', 'proxy') and logid_to_
int(logid) not in (4, 7, 14) and apprisk in ('critical', 'high') group by
appcat)### t group by behavior order by percentage desc

Apprisk-Ctrl-Key- Key Application Crossing The traffic

Application- Network
Crossing-The-
Network

select
d_risk,
count(distinct f_user) as users,
id,
name,
app_cat,
technology,
sum(bandwidth) as bandwidth,
sum(sessions) as sessions
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when
'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk,
coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as
f_user, t2.id, t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+co-
alesce(rcvdbyte, 0)) as bandwidth, count(*) as sessions from $log t1 inner join
app_mdata t2 on t1.appid=t2.id where $filter and logid_to_int(logid) not in (4,
7, 14) group by f_user, t2.id, t2.name, t2.app_cat, t2.technology, apprisk )###
t group by id, name, app_cat, technology, d_risk order by bandwidth desc

Apprisk-Ctrl- Application risk application traffic

Risk-Application- usage by category
Usage-By-
Category-With-
Pie

Dataset Reference 159

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

Apprisk-Ctrl- Category breakdown of all traffic

Category- applications, sorted by
Breakdown-By- bandwidth
Bandwidth

select
appcat,
count(distinct appid) as app_num,
count(distinct f_user) as user_num,
sum(bandwidth) as bandwidth,
sum(num_session) as num_session
from
###(select appcat, appid, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, count(*) as num_session from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) and nullifna(appcat) is not null group by appcat,
appid, f_user)### t group by appcat order by bandwidth desc

Apprisk-Ctrl-Top- Top 25 Web Categories by traffic

Web- Bandwidtih
Applications-by-
Bandwidth

160 Dataset Reference

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
d_risk,
id,
name,
technology,
count(distinct f_user) as user_num,
sum(bandwidth) as bandwidth,
sum(num_session) as num_session
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when
'medium' then 3 when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk,
t2.id, t2.name, t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`un-
authuser`), ipstr(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth, count(*) as num_session from $log t1 inner join
app_mdata t2 on t1.appid=t2.id where $filter and logid_to_int(logid) not in (4,
7, 14) and nullifna(app) is not null and service in ('80/tcp', '443/tcp',
'HTTP', 'HTTPS', 'http', 'https') group by apprisk, t2.id, t2.name, t2.-
technology, f_user)### t group by d_risk, id, name, technology order by band-
width desc

Apprisk-Ctrl-Top- Top 25 Web Categories Visited traffic

Web-Categories-
Visited

select
catdesc,
count(distinct f_user) as user_num,
sum(sessions) as sessions,
sum(bandwidth) as bandwidth
from
(
###(select catdesc, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr
(`srcip`)) as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and catdesc is not
null and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') group by f_user,
catdesc order by sessions desc)### union all ###(select catdesc, coalesce(nul-
lifna(ùser`), ipstr(`srcip`)) as f_user, count(*) as sessions, sum(coalesce
(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-webfilter where $fil-
ter and catdesc is not null and (eventtype is null or logver = 52) group by f_
user, catdesc order by sessions desc)###) t group by catdesc order by sessions
desc

Apprisk-Ctrl- Common virus disvocered, the traffic

Common-Virus- botnet communictions and the
Botnet-Spyware spyware/adware

Dataset Reference 161

Fortinet Inc.
Dataset Reference List

Dataset Name Description Log Category

select
virus_s as virus,
(
case when lower(appcat)= 'botnet' then 'Botenet C&C' else (
case when virus_s like 'Riskware%' then 'Spyware' when virus_s like
'Adware%' then 'Adware' else 'Virus' end
) end
) as malware_type,
appid,
app,
count(distinct dstip) as victims,
count(distinct srcip) as source,
sum(total_num) as total_num
from
###(select unnest(string_to_array(virus, ',')) as virus_s, appcat, appid, app,
dstip, srcip, count(*) as total_num from $log-traffic where $filter and logid_
to_int(logid) not in (4, 7, 14) and virus is not null group by virus_s, appcat,
appid, dstip, srcip, app order by total_num desc)### t group by virus, appid,
app, malware_type order by total_num desc

Apprisk-Ctrl- Zero-day malware detected on traffic

Zero-Day- the network
Detected-On-
Network

select
virus_s,
appid,
app,
count(distinct dstip) as victims,
count(distinct srcip) as source,
sum(total_num) as total_num
from
###(select unnest(string_to_array(virus, ',')) as virus_s, appid, app, dstip,
srcip, count(*) as total_num from $log where $filter and logid_to_int(logid) not
in (4, 7, 14) and virus like '%PossibleThreat.SB%' group by virus_s, dstip,
srcip, appid, app )### t where virus_s like '%PossibleThreat.SB%' group by
virus_s, appid, app order by total_num desc

Apprisk-Ctrl- Files analyzed by FortiCloud virus

Files-Analyzed- Sandbox
By-FortiCloud-
Sandbox

162 Dataset Reference

Fortinet Inc.
Dataset Reference List

Apprisk-Ctrl- Files detected by FortiCloud virus

Malicious-Files- Sandbox
Detected-By-
FortiCloud-
Sandbox

select
filename,
analyticscksum,
count(distinct dstip) as victims,
count(distinct srcip) as source
from
###(select filename, analyticscksum, dstip, srcip from $log where $filter and
filename is not null and logid_to_int(logid)=9233 and analyticscksum is not null
group by filename, analyticscksum, srcip, dstip)### t group by filename, ana-
lyticscksum order by victims

Apprisk-Ctrl-File- File transferred by applications app-ctrl

Transferred-By- on the network
Application

Dataset Reference 163

Fortinet Inc.
Dataset Reference List

appctrl-Top- Appctrl top blocked SCCP app-ctrl

Blocked-SCCP- callers
Callers

select
srcname as caller,
count(*) as totalnum
from
$log
where
$filter
and lower(appcat)= 'voip'
and app = 'sccp'
and action = 'block'
and srcname is not null
group by
caller
order by
totalnum desc

appctrl-Top- Appctrl top blocked SIP callers app-ctrl

Blocked-SIP-
Callers

164 Dataset Reference

Fortinet Inc.
Dataset Reference List

content-Count- Content count total SCCP call content

Total-SCCP- registrations by hour of day
Call-
Registrations-by-
Hour-of-Day

select
$hour_of_day as hourstamp,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sccp'
and kind = 'register'
group by
hourstamp
order by
hourstamp

content-Count- Content count total SCCP calls content

Total-SCCP- duration by hour of day
Calls-Duration-
by-Hour-of-Day

Dataset Reference 165

Fortinet Inc.
Dataset Reference List

content-Count- Content count total SCCP calls content

Total-SCCP- per status
Calls-per-Status

select
status,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sccp'
and kind = 'call-info'
group by
status
order by
totalnum desc

content-Count- Content count total SIP call content

Total-SIP-Call- registrations by hour of day
Registrations-by-
Hour-of-Day

166 Dataset Reference

Fortinet Inc.
Dataset Reference List

content-Count- Content count total SIP calls per content

Total-SIP-Calls- status
per-Status

select
status,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sip'
and kind = 'call'
group by
status
order by
totalnum desc

content-Dist- Content dist total SIP calls by content

Total-SIP-Calls- duration
by-Duration

Dataset Reference 167

Fortinet Inc.
Dataset Reference List

Botnet-Activity- Botnet activity by sources traffic

By-Sources

select
app,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and nullifna(app) is not null
group by
app,
user_src
order by
events desc

Botnet-Infected- Botnet infected hosts traffic

Hosts

168 Dataset Reference

Fortinet Inc.
Dataset Reference List

Detected-Botnet Detected botnet traffic

select
app,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and nullifna(app) is not null
group by
app
order by
events desc

Botnet-Sources Botnet sources traffic

Dataset Reference 169

Fortinet Inc.
Dataset Reference List

Botnet-Victims Botnet victims traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and srcip is not null
group by
user_src
order by
events desc

Botnet-Timeline Botnet timeline traffic

170 Dataset Reference

Fortinet Inc.
Dataset Reference List

Application- Application session history traffic

Session-History

select
$flex_timescale as hodex,
count(*) as counter
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
hodex
order by
hodex

Application- Detailed application usage traffic

Usage-List

Dataset Reference 171

Fortinet Inc.
Dataset Reference List

172 Dataset Reference

Fortinet Inc.
Macro Reference List
The following table lists the available predefined macros that can be used in a report layout to display the log data as
text (XML format) dynamically.

Macro Name Description Dataset Used Log Category

Application Category with Application category with the App-Sessions-By-Cat- Traffic

Highest Session Count highest session count egory

Application with Highest Band- Application with the highest band- Top-App-By-Bandwidth Traffic
width width usage

Application with Highest Session Applications with the highest ses- Top-App-By-Sessions Traffic
Count sion count

Attack with Highest Session Attack with highest session count Utm-Top-Attack- Attack
Count Source

Botnet with Highest Session Botnet with the highest session Detected-Botnet Traffic
Count count

Destination with Highest Band- Destination with the highest band- Top-Destinations-By- Traffic
width width usage Bandwidth

Destination with Highest Session Destination with the highest ses- Top-Destinations-By- Traffic
Count sion count Sessions

Highest Bandwidth Consumed Highest bandwidth consumed by App-Risk-App-Usage- Traffic

(Application) Category application category By-Category

Highest Bandwidth Consumed Highest bandwidth consumed by Top-App-By-Bandwidth Traffic

(Application) application

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Destinations-By- Traffic

(Destination) destination Bandwidth

Highest Bandwidth Consumed Highest bandwidth consumed by Top-P2P-App-By-Band- Traffic

(P2P Application) P2P application width

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Users-By-Band- Traffic

(Source) source width

Highest Bandwidth Consumed () Highest bandwidth consumed by Top-Web-Category-by- Web Filter

Web Category) website category Bandwidth

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Web-Sites-by- Web Filter

(Website) website Bandwidth

173 Dataset Reference

Fortinet Inc.
Macro Reference List

Macro Name Description Dataset Used Log Category

Highest Risk Application with Highest risk application with the High-Risk-Application- Traffic
Highest Bandwidth highest bandwidth usage By-Bandwidth

Highest Risk Application with Highest risk application with the High-Risk-Application- Traffic
Highest Session Count highest session count By-Sessions

Highest Session Count by Applic- Highest session count by applic- App-Sessions-By-Cat- Traffic
ation Category ation category egory

Highest Session Count by Applic- Highest session count by applic- Top-App-By-Sessions Traffic
ation ation

Highest Session Count by Attack Highest session count by attack Utm-Top-Attack- Attack
Source

Highest Session Count by Botnet Highest session count by botnet Detected-Botnet Traffic

Highest Session Count by Destin- Highest session count by des- Top-Destinations-By- Traffic
ation tination Sessions

Highest Session Count by Highest session count by highest Threat-Attacks-By- Attack

Highest Severity Attack severity attack Severity

Highest Session Count by P2P Highest session count by P2P Top-P2P-App-By-Ses- Traffic
Application application sions

Highest Session Count by Source Highest session count by source Top-User-Source-By- Traffic
Sessions

Highest Session Count by Virus Highest session count by virus Utm-Top-Virus Traffic

Highest Session Count by Web Highest session count by website Top-Web-Category-by- Web Filter
Category category Sessions

Highest Session Count by Web- Highest session count by website Top-Web-Sites-by-Ses- Web Filter
site sions

Highest Severity Attack with Highest severity attack with the Threat-Attacks-By- Attack
Highest Session Count highest session count Severity

P2P Application with Highest P2P applications with the highest Top-P2P-App-By-Band- Traffic
Bandwidth bandwidth usage width

P2P Application with Highest Ses- P2P applications with the highest Top-P2P-App-By-Ses- Traffic
sion Count session count sions

Source with Highest Bandwidth Source with the highest bandwidth Top-Users-By-Band- Traffic
usage width

Dataset Reference 174

Fortinet Inc.
Macro Reference List

Macro Name Description Dataset Used Log Category

Source with Highest Session Source with the highest session Top-User-Source-By- Traffic
Count count Sessions

Total Number of Attacks Total number of attacks detected Total-Attack-Source Attack

Total Number of Botnet Events Total number of botnet events Total-Number-of-Bot- Traffic
net-Events

Total Number of Viruses Total number of viruses detected Total-Number-of- Traffic

Viruses

User Details User details of traffic Traffic-User-Detail Traffic

Virus with Highest Session Count Virus with the highest session Utm-Top-Virus Traffic
count

Web Category with Highest Band- Web filtering category with the Top-Web-Category-by- Web Filter
width highest bandwidth usage Bandwidth

Web Category with Highest Ses- Web filtering category with the Top-Web-Category-by- Web Filter
sion Count highest session count Sessions

Website with Highest Bandwidth Website with the highest band- Top-Web-Sites-by- Web Filter
width usage Bandwidth

Website with Highest Session Website with the highest session Top-Web-Sites-by-Ses- Web Filter
Count count sions

175 Dataset Reference

Fortinet Inc.
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiAnalyzer Student Guide Online
No ratings yet
FortiAnalyzer Student Guide Online
348 pages
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
100% (3)
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
216 pages
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
209 pages
Fortinet Fortisiem Lab Guide For Fortisiem 63
No ratings yet
Fortinet Fortisiem Lab Guide For Fortisiem 63
249 pages
Fortinet Fortianalyzer Administrator Study Guide For Fortianalyzer 72
No ratings yet
Fortinet Fortianalyzer Administrator Study Guide For Fortianalyzer 72
201 pages
Editable FCP FAZ An-7.4 TVT VN Wilhern 7637
No ratings yet
Editable FCP FAZ An-7.4 TVT VN Wilhern 7637
69 pages
LABOR RELATIONS Compiled by Clintmaratas v.4
100% (2)
LABOR RELATIONS Compiled by Clintmaratas v.4
182 pages
FortiAnalyzer 7.0 Study Guide-Online (1) Unlocked
No ratings yet
FortiAnalyzer 7.0 Study Guide-Online (1) Unlocked
346 pages
FortiAnalyzer 7.2.1 Administration Guide
No ratings yet
FortiAnalyzer 7.2.1 Administration Guide
398 pages
FortiAnalyzer 7.6.1 Dataset Reference
No ratings yet
FortiAnalyzer 7.6.1 Dataset Reference
495 pages
Artists and Artisans
100% (2)
Artists and Artisans
46 pages
Financial Analysis of A Selected Company
100% (1)
Financial Analysis of A Selected Company
20 pages
FortiAnalyzer-7 2 2-Administration - Guide
No ratings yet
FortiAnalyzer-7 2 2-Administration - Guide
416 pages
FortiAnalyzer 5.4.1 Administration Guide
No ratings yet
FortiAnalyzer 5.4.1 Administration Guide
189 pages
FortiAnalyzer 04 Logs
No ratings yet
FortiAnalyzer 04 Logs
60 pages
Fortianalyzer v5.2.7 Dataset Reference
No ratings yet
Fortianalyzer v5.2.7 Dataset Reference
142 pages
QUESTION BANK - (Laplace and Fourier Transform - CUTM1002)
No ratings yet
QUESTION BANK - (Laplace and Fourier Transform - CUTM1002)
7 pages
FCP Faz Ad-7.4-Demo 2
No ratings yet
FCP Faz Ad-7.4-Demo 2
14 pages
FortiAnalyzer 05 Reports
No ratings yet
FortiAnalyzer 05 Reports
59 pages
FortiAnalyzer 5.4.5 CLI Reference
0% (1)
FortiAnalyzer 5.4.5 CLI Reference
224 pages
Navdeep Singh Sodhi
No ratings yet
Navdeep Singh Sodhi
35 pages
FortiAnalyzer 6.0.4 Administration Guide
No ratings yet
FortiAnalyzer 6.0.4 Administration Guide
225 pages
FortiAnalyzer 5.4.0 Administration Guide
No ratings yet
FortiAnalyzer 5.4.0 Administration Guide
233 pages
FortiAnalyzer 521 Adminstration Guide
No ratings yet
FortiAnalyzer 521 Adminstration Guide
308 pages
FortiAnalyzer-6 4 0-Administration - Guide
No ratings yet
FortiAnalyzer-6 4 0-Administration - Guide
285 pages
Fortianalyzer - Administration Guide
No ratings yet
Fortianalyzer - Administration Guide
323 pages
FortiAnalyzer Dataset Reference Guide 5.08
No ratings yet
FortiAnalyzer Dataset Reference Guide 5.08
126 pages
FortiAnalyzer 7.0.1 Administration Guide
No ratings yet
FortiAnalyzer 7.0.1 Administration Guide
353 pages
Membership Undertaking Form
No ratings yet
Membership Undertaking Form
6 pages
FCP Sec Ops FortiAnalyzer Analyst 7 4 Study Guide Stamped
No ratings yet
FCP Sec Ops FortiAnalyzer Analyst 7 4 Study Guide Stamped
216 pages
Introduction To E-Gov
No ratings yet
Introduction To E-Gov
15 pages
FAZ Trainining v6 - 20200310
No ratings yet
FAZ Trainining v6 - 20200310
267 pages
Schengen
No ratings yet
Schengen
8 pages
FortiAnalyzer 5.2.2 CLI Reference
No ratings yet
FortiAnalyzer 5.2.2 CLI Reference
200 pages
Fortianalyzer Cli 520
No ratings yet
Fortianalyzer Cli 520
206 pages
Engineering Science For BS MBS3211: 3. Electricity
No ratings yet
Engineering Science For BS MBS3211: 3. Electricity
64 pages
FAZ - Adm Guide
No ratings yet
FAZ - Adm Guide
214 pages
Lecture 21 Analysis of Rainfall Data
No ratings yet
Lecture 21 Analysis of Rainfall Data
10 pages
FortiManager & FortiAnalyzer 7.6.1 Log Reference
No ratings yet
FortiManager & FortiAnalyzer 7.6.1 Log Reference
64 pages
FortiAnalyzer 6.4.0 CLI Reference
No ratings yet
FortiAnalyzer 6.4.0 CLI Reference
263 pages
Fortigate Logging and Reporting 52
No ratings yet
Fortigate Logging and Reporting 52
56 pages
FortiAnalyzer 5.4.5 Administration Guide
No ratings yet
FortiAnalyzer 5.4.5 Administration Guide
196 pages
FortiAnalyzer Study Guide Online
No ratings yet
FortiAnalyzer Study Guide Online
225 pages
Upd EYE TATTOO AND ITS ADVERSE EVENTS
No ratings yet
Upd EYE TATTOO AND ITS ADVERSE EVENTS
14 pages
EN671: Solar Energy Conversion Technology: Fundamentals of Flat Plate Collectors
No ratings yet
EN671: Solar Energy Conversion Technology: Fundamentals of Flat Plate Collectors
24 pages
FortiAnalyzer 7.2.0 Examples
No ratings yet
FortiAnalyzer 7.2.0 Examples
64 pages
Statistics Study Group 1
No ratings yet
Statistics Study Group 1
3 pages
Term One Edited
No ratings yet
Term One Edited
70 pages
FortiAnalyzer 09.21
No ratings yet
FortiAnalyzer 09.21
39 pages
Benchmarking Optimizers
No ratings yet
Benchmarking Optimizers
30 pages
4 Logging and Monitoring
No ratings yet
4 Logging and Monitoring
31 pages
FortiAnalyzer 6.2 Cookbook
No ratings yet
FortiAnalyzer 6.2 Cookbook
62 pages
Chuyên Đề 13 Cụm Động Từ (Phrasal Verbs)
No ratings yet
Chuyên Đề 13 Cụm Động Từ (Phrasal Verbs)
13 pages
FortiAnalyzer-7.4.0-SQL Log Database Query
No ratings yet
FortiAnalyzer-7.4.0-SQL Log Database Query
18 pages
Key Roles and Life Cycle
No ratings yet
Key Roles and Life Cycle
4 pages
Fort I Analyzer 1
No ratings yet
Fort I Analyzer 1
5 pages
FGT1 02 Logging and Monitoring V2
No ratings yet
FGT1 02 Logging and Monitoring V2
36 pages
Hazardous Substance Fact Sheet: Right To Know
No ratings yet
Hazardous Substance Fact Sheet: Right To Know
6 pages
Fortianalyzer v5.4.6 Release Notes
No ratings yet
Fortianalyzer v5.4.6 Release Notes
28 pages
FMG-FAZ 5.4.5 Event Log Reference
No ratings yet
FMG-FAZ 5.4.5 Event Log Reference
37 pages
Fortianalyzer: SQL and Datasets (Supplementary Material)
No ratings yet
Fortianalyzer: SQL and Datasets (Supplementary Material)
34 pages
Bruce Berkowitz
No ratings yet
Bruce Berkowitz
30 pages
SH3532 95石油化工换热设备施工及验收规范
No ratings yet
SH3532 95石油化工换热设备施工及验收规范
30 pages
IT Based Decision Making in Health Care
No ratings yet
IT Based Decision Making in Health Care
5 pages
French Invention Cuisine
No ratings yet
French Invention Cuisine
4 pages
Fortinet NSE5 Fortianalyzer 7.2 001
No ratings yet
Fortinet NSE5 Fortianalyzer 7.2 001
20 pages
Nse5 Faz-6.2
No ratings yet
Nse5 Faz-6.2
24 pages
FortiAnalyzer Best Practices Guide
No ratings yet
FortiAnalyzer Best Practices Guide
17 pages
Review of Hussain Sagar Lake Pollution, Hyderabad, India
No ratings yet
Review of Hussain Sagar Lake Pollution, Hyderabad, India
7 pages
Quick Start FAZ Series
No ratings yet
Quick Start FAZ Series
13 pages
Semantic Textual Similarity With Siamese Neural Networks: Tharindu Ranasinghe, Constantin or Asan and Ruslan Mitkov
No ratings yet
Semantic Textual Similarity With Siamese Neural Networks: Tharindu Ranasinghe, Constantin or Asan and Ruslan Mitkov
8 pages
For Ti Analyzer DataSheet
No ratings yet
For Ti Analyzer DataSheet
3 pages
Pac 6500-Sira 16 Atex 2362-00
No ratings yet
Pac 6500-Sira 16 Atex 2362-00
3 pages
Inside Fortianalyzer 50
No ratings yet
Inside Fortianalyzer 50
4 pages
Microwave Project
No ratings yet
Microwave Project
11 pages
Mercury Drugs Vs Serrano
No ratings yet
Mercury Drugs Vs Serrano
7 pages
Fortianalyzer - 400B: Centralized Management Solutions For Fortinet Systems
No ratings yet
Fortianalyzer - 400B: Centralized Management Solutions For Fortinet Systems
2 pages
Fortianalyzer: Centralized Logging, Analysis, and Reporting
No ratings yet
Fortianalyzer: Centralized Logging, Analysis, and Reporting
3 pages
1279-Article Text-5449-1-10-20200212
No ratings yet
1279-Article Text-5449-1-10-20200212
4 pages
Data Engineer Requirment
No ratings yet
Data Engineer Requirment
2 pages
Assignment 3
No ratings yet
Assignment 3
2 pages
Introduction to Oracle Database Administration
From Everand
Introduction to Oracle Database Administration
Ying Wang
5/5 (1)
Python面向对象编程指南: Chinese Edition
From Everand
Python面向对象编程指南: Chinese Edition
Posts & Telecom Press
No ratings yet
Oracle SQL Developer 2.1
From Everand
Oracle SQL Developer 2.1
Sue Harper
No ratings yet
Visual Basic 2010 Coding Briefs Data Access
From Everand
Visual Basic 2010 Coding Briefs Data Access
Kevin Hough
5/5 (1)
Oracle Database Administration Interview Questions You'll Most Likely Be Asked: Job Interview Questions Series
From Everand
Oracle Database Administration Interview Questions You'll Most Likely Be Asked: Job Interview Questions Series
Vibrant Publishers
5/5 (1)
Mastering SQLite with Python: From Basics to Advanced Techniques
From Everand
Mastering SQLite with Python: From Basics to Advanced Techniques
Robert Johnson
No ratings yet
Introduction to Microsoft SQL Server
From Everand
Introduction to Microsoft SQL Server
Eric Frick
No ratings yet
Logstash Made Easy: A Beginner's Guide to Log Ingestion and Transformation
From Everand
Logstash Made Easy: A Beginner's Guide to Log Ingestion and Transformation
Robert Johnson
No ratings yet
Learn SQLite in 24 Hours
From Everand
Learn SQLite in 24 Hours
Alex Nordeen
No ratings yet