FortiAnalyzer Dataset Reference

VERSION 5.2.7
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

FortiAnalyzer Dataset Reference

April 22, 2016

05-526-364810-20160422
TABLE OF CONTENTS

Change Log 6
Introduction 7
Overview 8
Understanding Datasets and Macros 9
Creating Custom Datasets 10
To create a custom dataset in the web-based manager 10
Testing SQL Query 11
Examples of SQL Query Errors 11
Examples of Custom Datasets 12
Example 1: Distribution of applications by type in the last 24 hours 13
Example 2: Top 100 applications by bandwidth in the last 24 hours 14
Log Database Tables 15
Dataset Reference List 19
Macro Reference List 139
Change Log

Date Change Description

2016-04-22 Updated for version 5.2.7.

Introduction

This document provides information about the various types of FortiAnalyzer datasets which are created based on the
FortiGate log SQL tables and messages. These datasets are used to create charts and reports.

It describes the procedure for creating custom datasets, and also lists the types of log tables used to assist in writing
SQL queries to create the datasets.

7 Dataset Reference
Fortinet, Inc.
Overview

FortiAnalyzer uses the PostgreSQL and remote MySQL databases to store the log data generated by the FortiGate.

To create a chart based on the FortiGate logs in a local or remote database, you can use either the predefined
datasets, or create your own custom datasets by querying the logs in the SQL database in FortiAnalyzer.

Understanding Datasets and Macros 9

8 Dataset Reference
Fortinet, Inc.
Overview Understanding Datasets and Macros

Understanding Datasets and Macros

FortiAnalyzer datasets are collections of log messages from monitored devices.

If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL
Database, it does not create log tables for that device.

Charts in FortiAnalyzer are generated based on the datasets. To create a chart, you can use either the predefined
datasets, or create your own custom datasets by querying the log messages in the SQL database on the FortiAnalyzer
unit. Both predefined and custom datasets can be cloned, but only custom datasets can be deleted. You can also view
the SQL query for a dataset, and test the query against specific devices or log arrays.

You can create custom reports that contain macros created based on predefined and custom datasets. Macros are
used to dynamically display the device log data as text in a report. They can be embedded within a text field of a
paragraph in a report layout in XML format. Macros display a single value, such as a user name, highest session count,
or highest bandwidth etc.

To view and configure datasets, go to Reports > Advanced > Dataset in the left navigation pane of the web-based
manager. For more information, refer to the Dataset section in the FortiAnalyzer Administration Guide.

To view and configure macros, go to Reports> Macro Library in the left navigation pane of the web-based manager.
For more information, refer to the Macro Library section in the FortiAnalyzer Administration Guide.

NOTE: FortiAnalyzer v5.0 Patch Release 5 introduced new datasets for SIP and SCCP. FortiAnalyzer v5.0 Patch
Release 6 introduced new datasets for Botnet (Botnet-Activity-By-Sources, Botnet-Infected-Hosts, Botnet-Sources, Botnet-
Timeline, and Detected-Botnet).

9 Dataset Reference
Fortinet, Inc.
Creating Custom Datasets

This section describes the procedure to create datasets in the FortiAnalyzer web-based manager.

To create a custom dataset in the web-based manager

1. Go to Reports> Advanced > Dataset.

2. Click Create New.

3. Configure the following, then click OK.

The following table describes the GUI fields of the New Dataset dialog box.

Field Description

Name Name of the data set.

Log Type Log Type to be used for the data set.

$log is used in the SQL query to represent the log type you
select, and it is run against all tables of this type.

Devices Select All Devices to create datasets on all of FortiAna-

lyzer managed devices or select Specify to choose a device
on which you want to create the dataset.

10 Dataset Reference
Fortinet, Inc.
 Testing SQL Query

Field Description

Query Enter the SQL query syntax to retrieve the log data you want
from the SQL database.

Time Period Select to use logs from a time frame.

Select Other to define a custom time frame by selecting the
Start Time and End Time. $filter is used in the SQL query
"where" clause to limit the results to the period you select.

Test Click to test whether or not the SQL query is successful.

Testing SQL Query

You can verify the SQL query that you used to create the custom dataset before saving the dataset configuration by
testing and viewing the query results.

To test a SQL query:

1. Click Test after entering the SQL query in the New Dataset dialog box.
The query results are displayed. If the query is not successful, an error message appears in the results pane.

Examples of SQL Query Errors

Here are some example error messages and possible causes:

Syntax Errors
You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or
near... (local/PostgreSQL)

l Check that SQL keywords are spelled correctly, and that the query is well-formed.
l Table and column names are demarked by grave accent (`) characters. Single (') and double (") quotation marks will
cause an error.
No data is covered.

l The query is correctly formed, but no data has been logged for the log type. Check that you have configured the
FortiAnalyzer unit to save that log type. Under System >

Config > SQL Database, ensure that the log type is checked.

Connection Errors
If well formed queries do not produce results, and logging is turned on for the log type, there may be a database
configuration problem with the remote database.

Dataset Reference 11
Fortinet, Inc.
 Examples of Custom Datasets

Ensure that:

l MySQL is running and using the default port3306.

l You have created an empty database and a user with create permissions for the database.

Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:
#Mysql –u root –p

mysql> Create database fazlogs;

mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’

identified by ‘fazpassword’;

mysql> Grant all privileges on fazlogs.* to

‘fazlogger’@’localhost’ identified by ‘fazpassword’;

For more information about using SQL queries for creating datasets, refer to the

FortiAnalyzer™ and FortiGate™ Version 4.0 MR2 SQL Log Database Query Technical Note on the Fortinet
Documentation Library at docs.fortinet.com.

Examples of Custom Datasets

The following examples illustrate how to create custom datasets using the web-based manager GUI. Once created,
you can use the datasets to configure chart templates under Reports > Chart Library.

12 Dataset Reference
Fortinet, Inc.
 Examples of Custom Datasets

Example 1: Distribution of applications by type in the last 24 hours

GUI Procedure
1. Go to Reports> Advanced > Dataset.
2. Click Create New.
3. Select Application Control under Log Type.
4. Enter a name, such as "apps_type_24hrs".
5. Select Last N Hours under Time Period.
6. Enter the query:
SELECT app_type, COUNT( * ) AS totalnum
FROM $log
WHERE $filter
AND app_type IS NOT NULL
GROUP BY app_type
ORDER BY totalnum DESC

Dataset Reference 13
Fortinet, Inc.
 Examples of Custom Datasets

Notes:

l $filter restricts the query result to the time period specified; in this case, it’s the past 24 hours.
l $log queries all application control logs
l The application control module classifies each firewall session in app_type. One firewall session may be classified
to multiple app_types. For example, an HTTPsession can be classified to: HTTP, Facebook, etc.
l Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or ‘N/A’. These will be
ignored by this query.

The result is ordered by the total session number of the same app_type. The most frequent app_types will appear first.

Example 2: Top 100 applications by bandwidth in the last 24 hours

1. GUI Procedure
2. Go to Reports> Advanced > Dataset.
3. Click Create New.
4. Select Application Control under Log Type.
5. Enter a name, such as "top_100_aps_24hrs".
6. Select Last N Hours under Time Period.
7. Enter the query:
SELECT (
TIMESTAMP - TIMESTAMP %3600
) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log
WHERE $filter and app IS NOT NULL
GROUP BY app
ORDER BY volume DESC
LIMIT 100

NOTE:
l (timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to indicate bandwidth per hour.
l SUM( sent + rcvd ) AS volume - this calculates the total sent and received bytes.
l ORDER BY volume DESC - this orders the results by descending volume (largest volume first).
l LIMIT 100 - this lists only the top 100 applications.

14 Dataset Reference
Fortinet, Inc.
Log Database Tables

The FortiAnalyzer and FortiGate units create SQL database tables to record log data. These tables are generated for
high log rate and low log rate devices.

The naming convention for the log SQL tables is:

High log rate:

<devtype>]-ADOM[<admon_oid><log-type>-timestamp]

and

Low log rate:

<devtype>ADOM<adom_oid>-ALLELSE-<log-type>-<timestamp>-<delta-timestamp>

where the device type can be any one of the following:

Example:

FGTADOM141-tlog-0, FGTADOM141-ALLELSE-tlog-0-0

<devtype> : "FGT/FMG/FML/FCT/FWB/FCH/FAZ/SYS/..."

{"FGT", "FortiGate"},
{"FMG", "FortiManager"},

{"SYS", "Syslog"},

{"FCT", "FortiClient"},

{"FML", "FortiMail"},

{"FWB", "FortiWeb"},

{"FCH", "FortiCache"},

{"FAZ", "FortiAnalyzer"},
{"FSA", "FortiSandbox"},

Log Type SQL Table Description

Type

Traffic tlog The traffic log records all traffic to and through the FortiGate
interface.

Event elog The event log records management and activity events. For
example, when an administrator logs in or logs out of the web-
based manager.

15 Dataset Reference
Fortinet, Inc.
Log Database Tables

Log Type SQL Table Description

Type

Antivirus vlog The antivirus log records virus incidents in Web, FTP, and email
traffic.

Webfilter wlog The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.

Attack attack_log The attack log records attacks that are detected and prevented
by the FortiGate unit.

Data Leak Prevention dlog The Data Leak Prevention log records log data that is con-
sidered sensitive and that should not be made public. This log
also records data that a company does not want entering their
network.

Application Control
rlog The application control log records data detected by the
FortiGate unit and the action taken against the network traffic
depending on the application that is generating the traffic, for
example, instant messaging software, such as MSN Mes-
senger.

Spamfilter spamfilter_log The spam filter log records blocking of email address patterns
and content in SMTP, IMAP, and POP3 traffic.

Content clog The content log records all network content that is transmitted
through the network.

Netscan nlog The netscan log records data related to network security and
scan.

Sniffer xlog The sniffer log records each packet raw data for traffic bot-
tlenecks.

VOIP plog The VOIP log records detailed protocol specific logs for VOIP
traffic.

To view all the tables created in a database, use the following commands:

l local (PostgreSQL) database: SELECT * FROM pg_tables

l remote (MySQL): SHOW TABLES

FortiAnalyzer and FortiGate logs also include log sub-types, which are types of log messages that are within the main
log type. For example, in the event log type there are the subtype admin log messages.

For more information on FortiGate Log Types and Messages, refer to the FortiOS/FortiGate Log Message Reference
Guide on the Fortinet Documentation Library at: docs.fortinet.com.

Dataset Reference 16
Fortinet, Inc.
 Log Database Tables

Log Type Sub Type

traffic (Traffic Log) • allowed – Policy allowed traffic

• violation - Policy violation traffic
• other

event (Event Log) For FortiGate devices:

l system – System activity event
l ipsec – IPSec negotiation event
l dhcp – DHCP service event
l ppp – L2TP/PPTP/PPPoE service event
l admin – admin event
l ha – HA activity event
l auth – Firewall authentication event
l pattern – Pattern update event
l alertemail – Alert email notifications
l chassis – FortiGate-4000 and FortiGate-5000 series
chassis event
l sslvpn-user – SSL VPN user event
l sslvpn-admin – SSL VPN administration event
l sslvpn-session – SSL VPN session event
l his-performance – performance statistics
l vipssl – VIP SSL events
l ldb-monitor – LDB monitor events

dlp (Data Leak Prevention) l dlp – Data Leak Prevention

app-crtl (Application Control Log) l app-crtl-all – All application control

virus (Antivirus Log) l infected – Virus infected

l filename – Filename blocked
l oversize – File oversized

webfilter (Web Filter Log) l content – content block

l urlfilter – URL filter
l FortiGuard block
l FortiGuard allowed
l FortiGuard error
l ActiveX script filter
l Cookie script filter
l Applet script filter

ips (Attack Log) l signature – Attack signature

l anomaly – Attack anomaly

17 Dataset Reference
Fortinet, Inc.
Log Database Tables

Log Type Sub Type

email filter (Spam Filter Log) l SMTP

l POP3
l IMAP

Dataset Reference 18
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Reference List

The following table lists the available predefined data sets reported by FortiAnalyzer. For documentation and technical
support reference purposes, this table contains the dataset names, SQL query syntax for each dataset, and the log
category of the dataset.

Dataset Name Description Log Category

Traffic-Bandwidth-Summary-Day-Of- Traffic bandwidth timeline traffic

Month

select
$flex_timescale as hodex,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
hodex
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
hodex
Dataset Name Description Log Category

Session-Summary-Day-Of-Month Number of session timeline traffic

select
$flex_timescale as hodex,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
hodex
order by
hodex

19 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Top-Users-By-Bandwidth Bandwidth application top users by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top-App-By-Bandwidth Top applications by bandwidth usage traffic

select
app_group_name(app) as app_group,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null

Dataset Reference 20
Fortinet, Inc.
Dataset Reference List Log Database Tables

group by
app_group
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top-User-Source-By-Sessions Top user source by session count traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
order by
sessions desc
Dataset Name Description Log Category

Top-App-By-Sessions Top applications by session count traffic

select
app_group_name(app) as app_group,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
app_group
order by
sessions desc
Dataset Name Description Log Category

Top-Destination-Addresses-By-Sessions Top destinations by session count traffic

select
coalesce(
nullifna(
root_domain(hostname)
),

21 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

ipstr(dstip)
) as domain,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
domain
order by
sessions desc
Dataset Name Description Log Category

Top-Destination-Addresses-By-Band- Top destinations by bandwidth usage traffic

width

select
coalesce(
nullifna(
root_domain(hostname)
),
ipstr(dstip)
) as domain,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and coalesce(
nullifna(
root_domain(hostname)
),
ipstr(`dstip`)
) is not null
group by
domain
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

DHCP-Summary-By-Port Event top dhcp summary event

Dataset Reference 22
Fortinet, Inc.
Dataset Reference List Log Database Tables

drop
table if exists pre_clt_list;
drop
table if exists cur_clt_list;
drop
table if exists allocated_ip; create temporary table pre_clt_list as ###(select concat
(interface, '.', devid) as intf, mac from $log where $last3day_period $filter and
logid_to_int(logid) = 26001 and dhcp_msg = 'Ack' group by interface, devid,
mac)###; create temporary table cur_clt_list as ###(select concat(interface, '.',
devid) as intf, mac from $log where $filter and logid_to_int(logid) = 26001 and
dhcp_msg = 'Ack' group by interface, devid, mac)###; create temporary table
allocated_ip as select distinct on (1) intf, cast(used*100.0/total as decimal
(18,2)) as percent_of_allocated_ip from ###(select distinct on (1) concat
(interface, '.', devid) as intf, used, total, itime from $log where $filter and
logid_to_int(logid)=26003 and total>0 order by 1, itime desc)### t order by 1,
itime desc; select t1.intf as interface, percent_of_allocated_ip, new_cli_count
from allocated_ip t1 inner join (select intf, count(mac) as new_cli_count from cur_
clt_list where not exists (select 1 from pre_clt_list where cur_clt_list.mac=pre_
clt_list.mac) group by intf) t2 on t1.intf=t2.intf order by interface, percent_of_
allocated_ip desc
Dataset Name Description Log Category

Top-Wifi-Client-By-Bandwidth Traffic top WiFi client by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
srcssid,
devtype,
coalesce(
nullifna(`srcname`),
`srcmac`
) as hostname_mac,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
group by
user_src,
srcssid,
devtype,
hostname_mac
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0

23 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

order by
bandwidth desc
Dataset Name Description Log Category

Traffic-History-By-Active-User Traffic history by active user traffic

select
hodex,
count(
distinct(user_src)
) as total_user
from
###(select $flex_timescale as hodex, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src from $log where $filter and logid_to_int(logid) not in
(4, 7, 14) group by hodex, user_src order by hodex)### t group by hodex order by
hodex
Dataset Name Description Log Category

Top-Allowed-Websites-By-Requests UTM top allowed web sites by request traffic

select
hostname,
catdesc,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and hostname is not null
and (
utmaction not in ('block', 'blocked')
or action != 'deny'
)
group by
hostname,
catdesc
order by
requests desc
Dataset Name Description Log Category

Top-50-Websites-By-Bandwidth Webfilter top allowed web sites by bandwidth usage webfilter

select
domain,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from

Dataset Reference 24
Fortinet, Inc.
Dataset Reference List Log Database Tables

###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, sum

(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte,
0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic
where $filter and logid_to_int(logid) not in (4, 7, 14) and utmaction!='blocked'
and ((logver>=52 and countweb>0) or ((logver is null) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter'))) group by domain,
catdesc having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by
bandwidth desc)### t group by domain, catdesc order by bandwidth desc
Dataset Name Description Log Category

Top-Blocked-Websites UTM top blocked web sites by request traffic

select
hostname,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and hostname is not null
and (
utmaction in ('block', 'blocked')
or action = 'deny'
)
group by
hostname
order by
requests desc
Dataset Name Description Log Category

Top-Web-Users-By-Request UTM top web users by request traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
devtype,
srcname,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)

25 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

group by
user_src,
devtype,
srcname
order by
requests desc
Dataset Name Description Log Category

Top-Allowed-WebSites-By-Bandwidth UTM top allowed websites by bandwidth usage traffic

select
appid,
hostname,
catdesc,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and hostname is not null
group by
appid,
hostname,
catdesc
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top-Blocked-Web-Users UTM top blocked web users traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
devtype,
srcname,

Dataset Reference 26
Fortinet, Inc.
Dataset Reference List Log Database Tables

count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
and (
utmaction in ('block', 'blocked')
or action = 'deny'
)
group by
user_src,
devtype,
srcname
order by
requests desc
Dataset Name Description Log Category

Top-20-Web-Users-By-Bandwidth Webfilter top web users by bandwidth usage webfilter

select
user_src,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce
(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and ((logver>=52
and countweb>0) or ((logver is null) and utmevent in ('webfilter', 'banned-word',
'web-content', 'command-block', 'script-filter'))) group by user_src having sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group
by user_src order by bandwidth desc
Dataset Name Description Log Category

Top-Web-Users-By-Bandwidth UTM top web users by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
devtype,
srcname,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)

27 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and utmevent in (
'webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'
)
group by
user_src,
devtype,
srcname
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top-Video-Streaming-Websites-By- UTM top video streaming websites by bandwidth traffic

Bandwidth usage

select
appid,
hostname,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and catdesc in ('Streaming Media and Download')
group by
appid,
hostname
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Dataset Reference 28
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

Top-Email-Senders-By-Count Default top email senders by count traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and service in (
'smtp', 'SMTP', '25/tcp', '587/tcp',
'smtps', 'SMTPS', '465/tcp'
)
group by
user_src
order by
requests desc
Dataset Name Description Log Category

Top-Email-Receivers-By-Count Default email top receivers by count traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as requests
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and service in (
'pop3', 'POP3', '110/tcp', 'imap',
'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp'
)
group by
user_src
order by
requests desc
Dataset Name Description Log Category

Top-Email-Senders-By-Bandwidth Default email top senders by bandwidth usage traffic

select

29 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and service in (
'smtp', 'SMTP', '25/tcp', '587/tcp',
'smtps', 'SMTPS', '465/tcp'
)
group by
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top-Email-Receivers-By-Bandwidth Default email top receivers by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and service in (
'pop3', 'POP3', '110/tcp', 'imap',
'IMAP', '143/tcp', 'imaps', 'IMAPS',
'993/tcp', 'pop3s', 'POP3S', '995/tcp'
)
group by
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc

Dataset Reference 30
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

Top-Malware-By-Name UTM top virus traffic

select
virus,
(
case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then
'Adware' else 'Virus' end
) as malware_type,
sum(totalnum) as totalnum
from
(
###(select virus, count(*) as totalnum from $log-traffic where $filter and logid_to_
int(logid) not in (4, 7, 14) and utmevent is not null and virus is not null
group by virus order by totalnum desc)### union all ###(select virus, count(*)
as totalnum from $log-virus where $filter and (eventtype is null or logver>=52)
and nullifna(virus) is not null group by virus order by totalnum desc)###) t
group by virus, malware_type order by totalnum desc
Dataset Name Description Log Category

Top-Virus-By-Name UTM top virus traffic

select
virus,
(
case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then
'Adware' else 'Virus' end
) as malware_type,
sum(totalnum) as totalnum
from
(
###(select virus, count(*) as totalnum from $log-traffic where $filter and logid_to_
int(logid) not in (4, 7, 14) and utmevent is not null and virus is not null
group by virus order by totalnum desc)### union all ###(select virus, count(*)
as totalnum from $log-virus where $filter and (eventtype is null or logver>=52)
and nullifna(virus) is not null group by virus order by totalnum desc)###) t
group by virus, malware_type order by totalnum desc
Dataset Name Description Log Category

Top-Virus-Victim UTM top virus user traffic

select
user_src,
sum(totalnum) as totalnum
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, count(*) as totalnum from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent is not null and virus is not null group
by user_src order by totalnum desc)### union all ###(select coalesce(nullifna
(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-virus
where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not
null group by user_src order by totalnum desc)###) t group by user_src order by
totalnum desc

31 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Top-Attack-Source UTM top attack source attack

select
coalesce(
nullifna(`user`),
ipstr(`srcip`)
) as user_src,
count(*) as totalnum
from
$log
where
$filter
group by
user_src
order by
totalnum desc
Dataset Name Description Log Category

Top-Attack-Victim UTM top attack dest attack

select
dstip,
count(*) as totalnum
from
$log
where
$filter
and dstip is not null
group by
dstip
order by
totalnum desc
Dataset Name Description Log Category

Top-Static-IPSEC-Tunnels-By-Band- Top static IPsec tunnels by bandwidth usage event

width

select
vpn_name,
sum(traffic_in + traffic_out) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
tunnelid,
vpn_name,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out

Dataset Reference 32
Fortinet, Inc.
Dataset Reference List Log Database Tables

from
###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and subtype='vpn' and tunneltype like
'ipsec%' and (tunnelip is null or (tunnelip='0.0.0.0' and logver is null))
and action in ('tunnel-stats', 'tunnel-down') and tunnelid is not null group
by devid, vd, remip, vpn_name, tunnelid)### t group by devid, vd, remip, vpn_
name, tunnelid) tt group by vpn_name having sum(traffic_in+traffic_out)>0
order by bandwidth desc
Dataset Name Description Log Category

Top-SSL-VPN-Tunnel-Users-By-Band- Top SSL VPN tunnel users by bandwidth usage event

width

select
user_src,
remip as remote_ip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
user_src,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_
src, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0)) as
e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce(rcvdbyte,
0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_out, max
(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $filter and
subtype='vpn' and tunneltype='ssl-tunnel' and action in ('tunnel-stats',
'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is
not null and tunnelid is not null group by devid, vd, user_src, remip,
tunnelid)### t group by devid, vd, user_src, remip, tunnelid) tt group by
user_src, remote_ip having sum(bandwidth)>0 order by bandwidth desc

33 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Top-Dial-Up-IPSEC-Tunnels-By-Band- Top dial up IPsec tunnels by bandwidth usage event

width

select
vpn_name,
sum(traffic_out + traffic_in) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
tunnelid,
remip,
vpn_name,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, vpn_trim(vpntunnel) as vpn_name, tunnelid, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and nullifna(vpntunnel) is not null and
subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is null or
(tunnelip='0.0.0.0' and logver is null)) and action in ('tunnel-stats',
'tunnel-down') and tunnelid is not null group by devid, vd, remip, vpn_name,
tunnelid)### t group by devid, vd, remip, vpn_name, tunnelid) tt group by
vpn_name having sum(traffic_out+traffic_in)>0 order by bandwidth desc
Dataset Name Description Log Category

Top-Dial-Up-IPSEC-Users-By-Band- Top dial up IPsec users by bandwidth usage event

width

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
remip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
remip,

Dataset Reference 34
Fortinet, Inc.
Dataset Reference List Log Database Tables

tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as
user_agg, remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce
(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min
(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_
traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where
$filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is
null or (tunnelip='0.0.0.0' and logver is null)) and action in ('tunnel-
stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null group by devid,
vd, xauthuser_agg, user_agg, remip, tunnelid)### t group by devid, vd, remip,
tunnelid) tt group by user_src, remip having sum(bandwidth)>0 order by
bandwidth desc
Dataset Name Description Log Category

Top-Dial-Up-IPSEC-Users-By-Duration Top dial up IPsec users by duration event

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
from_dtime(
min(s_time)
) as start_time,
sum(duration) as duration,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(

35 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

case when min(s_time)= max(e_time) then max(max_duration) else max(max_

duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna
(`user`) as user_agg, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration,
min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_
traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce
(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_
in from $log where $filter and subtype='vpn' and tunneltype like 'ipsec%' and
not (tunnelip is null or (tunnelip='0.0.0.0' and logver is null)) and action
in ('tunnel-stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null
group by devid, vd, remip, xauthuser_agg, user_agg, tunnelid order by
tunnelid)### t group by devid, vd, remip, tunnelid) tt group by user_src
having sum(bandwidth)>0 order by duration desc
Dataset Name Description Log Category

Top-SSL-VPN-Web-Mode-Users-By- Top SSL VPN web mode users by bandwidth usage event
Bandwidth

select
user_src,
remip as remote_ip,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
user_src,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end

Dataset Reference 36
Fortinet, Inc.
Dataset Reference List Log Database Tables

) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src,
remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce(dtime, 0))
as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min(coalesce
(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_traffic_
out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where $filter and
subtype='vpn' and tunneltype='ssl-web' and action in ('tunnel-stats',
'tunnel-down', 'tunnel-up') and coalesce(nullifna(`user`), ipstr(`remip`)) is
not null and tunnelid is not null group by devid, vd, user_src, remip,
tunnelid)### t group by devid, vd, user_src, remip, tunnelid) tt group by
user_src, remote_ip having sum(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

Top-SSL-VPN-Users-By-Duration Top SSL VPN users by duration event

select
user_src,
tunneltype,
sum(duration) as duration,
sum(traffic_out + traffic_in) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
user_src,
tunneltype,
tunnelid,
max(duration) as duration,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, coalesce(nullifna(`user`), ipstr(`remip`)) as user_
src, tunnelid, tunneltype, max(coalesce(duration, 0)) as duration, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and subtype='vpn' and tunneltype like
'ssl%' and action in ('tunnel-stats', 'tunnel-down') and coalesce(nullifna
(`user`), ipstr(`remip`)) is not null and tunnelid is not null group by
devid, vd, remip, user_src, tunnelid, tunneltype)### t group by devid, vd,
remip, user_src, tunnelid, tunneltype) tt group by user_src, tunneltype
having sum(traffic_out+traffic_in)>0 order by duration desc

37 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

vpn-Top-Dial-Up-VPN-Users-By-Dur- Top dial up VPN users by duration event

ation

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
t_type as tunneltype,
from_dtime(
min(s_time)
) as start_time,
sum(duration) as duration,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
remip,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
t_type,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_duration) else max(max_
duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, remip, nullifna(`xauthuser`) as xauthuser_agg, nullifna
(`user`) as user_agg, (case when tunneltype like 'ipsec%' then 'ipsec' else
tunneltype end) as t_type, tunnelid, min(coalesce(dtime, 0)) as s_time, max
(coalesce(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration,
min(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_
traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce
(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_
in from $log where $filter and subtype='vpn' and (tunneltype like 'ssl%' or

Dataset Reference 38
Fortinet, Inc.
Dataset Reference List Log Database Tables

(tunneltype like 'ipsec%' and not (tunnelip is null or (tunnelip='0.0.0.0'

and logver is null)))) and action in ('tunnel-stats', 'tunnel-down', 'tunnel-
up') and tunnelid is not null group by devid, vd, remip, xauthuser_agg, user_
agg, t_type, tunnelid)### t group by devid, vd, remip, t_type, tunnelid) tt
group by user_src, tunneltype having sum(bandwidth)>0 order by duration desc
Dataset Name Description Log Category

vpn-User-Login-history VPN user login history event

select
hodex,
sum(total_num) as total_num
from
(
select
hodex,
devid,
vd,
remip,
tunnelid,
sum(tunnelup) as total_num,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select $flex_timescale as hodex, devid, vd, remip, tunnelid, (case when
action='tunnel-up' then 1 else 0 end) as tunnelup, max(coalesce(sentbyte, 0))
as traffic_out, max(coalesce(rcvdbyte, 0)) as traffic_in from $log where
$filter and subtype='vpn' and (tunneltype like 'ipsec%' or tunneltype like
'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-down') and
tunnelid is not null group by hodex, action, devid, vd, remip, tunnelid)### t
group by hodex, devid, vd, remip, tunnelid having max(tunnelup) > 0 and max
(traffic_in)+max(traffic_out)>0 )tt group by hodex order by total_num desc
Dataset Name Description Log Category

vpn-Failed-Login-Atempts VPN failed logins event

select
f_user,
tunneltype,
sum(total_num) as total_num
from
###(select coalesce(nullifna(`xauthuser`), `user`) as f_user, tunneltype, count(*) as
total_num from $log where $filter and subtype='vpn' and (tunneltype='ipsec' or left
(tunneltype, 3)='ssl') and action in ('ssl-login-fail', 'ipsec-login-fail') and
coalesce(nullifna(`xauthuser`), nullifna(`user`)) is not null group by f_user,
tunneltype)### t group by f_user, tunneltype order by total_num desc
Dataset Name Description Log Category

vpn-Authenticated-Logins VPN authenticated logins event

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)

39 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

) as f_user,
t_type as tunneltype,
from_dtime(
min(s_time)
) as start_time,
sum(total_num) as total_num,
sum(duration) as duration
from
(
select
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
t_type,
devid,
vd,
remip,
tunnelid,
min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_duration) else max(max_
duration)- min(min_duration) end
) as duration,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out,
sum(tunnelup) as total_num
from
###(select nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as user_agg,
devid, vd, remip, (case when tunneltype like 'ipsec%' then 'ipsec' else
tunneltype end) as t_type, tunnelid, sum((case when action='tunnel-up' then 1
else 0 end)) as tunnelup, min(coalesce(dtime, 0)) as s_time, max(coalesce
(dtime, 0)) as e_time, max(coalesce(duration,0)) as max_duration, min
(coalesce(duration,0)) as min_duration, min(coalesce(sentbyte, 0)) as min_
traffic_out, min(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce
(sentbyte, 0)) as max_traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_
in from $log where $filter and subtype='vpn' and (tunneltype like 'ipsec%' or
tunneltype like 'ssl%') and action in ('tunnel-up', 'tunnel-stats', 'tunnel-
down') and tunnelid is not null group by xauthuser_agg, user_agg, devid, vd,
remip, t_type, tunnelid)### t group by t_type, devid, vd, remip, tunnelid
having max(tunnelup) > 0) tt group by f_user, tunneltype having sum
(bandwidth) > 0 order by total_num desc
Dataset Name Description Log Category

vpn-Traffic-Usage-Trend-VPN-Summary VPN traffic usage trend event

select

Dataset Reference 40
Fortinet, Inc.
Dataset Reference List Log Database Tables

hodex,
sum(ssl_traffic_out + ssl_traffic_in) as ssl_bandwidth,
sum(
ipsec_traffic_out + ipsec_traffic_in
) as ipsec_bandwidth
from
(
select
hodex,
devid,
vd,
remip,
tunnelid,
(
case when t_type like 'ssl%' then max(traffic_in) else 0 end
) as ssl_traffic_in,
(
case when t_type like 'ssl%' then max(traffic_out) else 0 end
) as ssl_traffic_out,
(
case when t_type like 'ipsec%' then max(traffic_in) else 0 end
) as ipsec_traffic_in,
(
case when t_type like 'ipsec%' then max(traffic_out) else 0 end
) as ipsec_traffic_out
from
###(select $flex_timescale as hodex, devid, vd, remip, tunnelid, (case when
tunneltype like 'ipsec%' then 'ipsec' else tunneltype end) as t_type, max
(coalesce(sentbyte, 0)) as traffic_out, max(coalesce(rcvdbyte, 0)) as
traffic_in from $log where $filter and subtype='vpn' and (tunneltype like
'ipsec%' or tunneltype like 'ssl%') and action in ('tunnel-stats', 'tunnel-
down') and tunnelid is not null group by hodex, devid, vd, remip, t_type,
tunnelid)### t group by hodex, devid, t_type, vd, remip, tunnelid ) tt group
by hodex order by hodex
Dataset Name Description Log Category

Top-S2S-IPSEC-Tunnels-By-Bandwidth- Top S2S IPsec tunnels by bandwidth usage and avail event
and-Availability

select
vpntunnel,
tunneltype,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
vpntunnel,
tunneltype,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(

41 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sent_end - sent_beg + rcvd_end - rcvd_beg

) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0))
as sent_beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte,
0)) as rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce
(duration, 0)) as duration_beg, max(coalesce(duration, 0)) as duration_end
from $log where $filter and subtype='vpn' and action='tunnel-stats' and
tunneltype like 'ipsec%' and (tunnelip is null or (tunnelip='0.0.0.0' and
logver is null)) and nullifna(`user`) is null and tunnelid is not null group
by tunnelid, tunneltype, vpntunnel, devid, vd order by tunnelid)### t group
by vpntunnel, tunneltype, tunnelid, devid, vd order by bandwidth desc) t
group by vpntunnel, tunneltype order by bandwidth desc
Dataset Name Description Log Category

Top-Dialup-IPSEC-By-Bandwidth-and- Top dialup IPsec users by bandwidth usage and avail event
Availability

select
user_src,
remip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, coalesce(nullifna(`xauthuser`), nullifna(`user`), ipstr
(`remip`)) as user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_
beg, max(coalesce(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as
rcvd_beg, max(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0))
as duration_beg, max(coalesce(duration, 0)) as duration_end from $log where
$filter and subtype='vpn' and action='tunnel-stats' and tunneltype like
'ipsec%' and not (tunnelip is null or (tunnelip='0.0.0.0' and logver is
null)) and tunnelid is not null group by tunnelid, user_src, remip, devid, vd
order by tunnelid)### t group by user_src, remip, tunnelid, devid, vd order
by bandwidth desc) t group by user_src, remip order by bandwidth desc
Dataset Name Description Log Category

Top-SSL-Tunnel-Mode-By-Bandwidth- Top SSL tunnel users by bandwidth usage and avail event
and-Availability

Dataset Reference 42
Fortinet, Inc.
Dataset Reference List Log Database Tables

select
user_src,
remote_ip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip as remote_ip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,
sum(duration_end - duration_beg) as uptime
from
###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src,
remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce
(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max
(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_
beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and
subtype='vpn' and action='tunnel-stats' and tunneltype in ('ssl-tunnel',
'ssl') and coalesce(nullifna(`user`), ipstr(`remip`)) is not null and
tunnelid is not null group by tunnelid, user_src, remip, devid, vd order by
tunnelid)### t group by user_src, remote_ip, tunnelid, devid, vd order by
bandwidth desc) t group by user_src, remote_ip order by bandwidth desc
Dataset Name Description Log Category

Top-SSL-Web-Mode-By-Bandwidth-and- Top SSL web users by bandwidth usage and avail event
Availability

select
user_src,
remote_ip,
sum(traffic_out) as traffic_out,
sum(traffic_in) as traffic_in,
sum(bandwidth) as bandwidth,
sum(uptime) as uptime
from
(
select
user_src,
remip as remote_ip,
tunnelid,
devid,
vd,
sum(sent_end - sent_beg) as traffic_out,
sum(rcvd_end - rcvd_beg) as traffic_in,
sum(
sent_end - sent_beg + rcvd_end - rcvd_beg
) as bandwidth,

43 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(duration_end - duration_beg) as uptime

from
###(select tunnelid, coalesce(nullifna(`user`), ipstr(`remip`)) as user_src,
remip, devid, vd, min(coalesce(sentbyte, 0)) as sent_beg, max(coalesce
(sentbyte, 0)) as sent_end, min(coalesce(rcvdbyte, 0)) as rcvd_beg, max
(coalesce(rcvdbyte, 0)) as rcvd_end, min(coalesce(duration, 0)) as duration_
beg, max(coalesce(duration, 0)) as duration_end from $log where $filter and
subtype='vpn' and action='tunnel-stats' and tunneltype='ssl-web' and coalesce
(nullifna(`user`), ipstr(`remip`)) is not null and tunnelid is not null group
by tunnelid, user_src, remip, devid, vd order by tunnelid)### t group by
user_src, remote_ip, tunnelid, devid, vd having sum(sent_end-sent_beg+rcvd_
end-rcvd_beg)>0 order by bandwidth desc) t group by user_src, remote_ip order
by bandwidth desc
Dataset Name Description Log Category

Admin-Login-Summary Event admin login summary event

select
`user` as f_user,
ui,
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
) as total_num,
sum(
case when logid_to_int(logid)= 32003 then duration else 0 end
) as total_duration,
count(state) as total_change
from
$log
where
$filter
and nullifna(`user`) is not null
and logid_to_int(logid) in (32001, 32003)
group by
f_user,
ui
having
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
)> 0
order by
total_num desc
Dataset Name Description Log Category

Admin-Login-Summary-By-Date Event admin login summary by date event

select
$flex_timescale as dom,
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
) as total_num,
count(state) as total_change
from
$log
where
$filter

Dataset Reference 44
Fortinet, Inc.
Dataset Reference List Log Database Tables

and nullifna(`user`) is not null

and logid_to_int(logid) in (32001, 32003)
group by
dom
having
sum(
case when logid_to_int(logid)= 32001 then 1 else 0 end
)> 0
order by
dom
Dataset Name Description Log Category

Admin-Failed-Login-Summary Event admin failed login summary event

select
`user` as f_user,
ui,
count(status) as total_failed
from
$log
where
$filter
and nullifna(`user`) is not null
and logid_to_int(logid) = 32002
group by
ui,
f_user
order by
total_failed desc
Dataset Name Description Log Category

System-Summary-By-Severity Event system summary by severity event

select
(
case when level in ('critical', 'alert', 'emergency') then 'Critical' when level =
'error' then 'High' when level = 'warning' then 'Medium' when level = 'notice'
then 'Low' else 'Info' end
) as severity,
count(*) as total_num
from
$log
where
$filter
and subtype = 'system'
group by
severity
order by
total_num desc
Dataset Name Description Log Category

System-Summary-By-Date Event system summary by date event

select

45 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

$flex_timescale as dom,
sum(
case when level in ('critical', 'alert', 'emergency') then 1 else 0 end
) as critical,
sum(
case when level = 'error' then 1 else 0 end
) as high,
sum(
case when level = 'warning' then 1 else 0 end
) as medium,
sum(
case when level = 'notice' then 1 else 0 end
) as low,
sum(
case when level = 'information'
or level = 'debug' then 1 else 0 end
) as info
from
$log
where
$filter
and subtype = 'system'
group by
dom
order by
dom
Dataset Name Description Log Category

System-Critical-Severity-Events Event system critical severity events event

select
msg_desc as msg,
severity,
sum(count) as counts
from
###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in
('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High'
when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end)
as severity, count(*) as count from $log where $filter and subtype='system' group
by msg_desc, severity order by count desc)### t where severity='Critical' group by
msg, severity order by counts desc
Dataset Name Description Log Category

System-High-Severity-Events Event system high severity events event

select
msg_desc as msg,
severity,
sum(count) as counts
from
###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in
('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High'
when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end)
as severity, count(*) as count from $log where $filter and subtype='system' group
by msg_desc, severity order by count desc)### t where severity='High' group by msg,
severity order by counts desc

Dataset Reference 46
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

System-Medium-Severity-Events Event system medium severity events event

select
msg_desc as msg,
severity,
sum(count) as counts
from
###(select coalesce(nullifna(logdesc), msg) as msg_desc, (case when level in
('critical', 'alert', 'emergency') then 'Critical' when level='error' then 'High'
when level='warning' then 'Medium' when level='notice' then 'Low' else 'Info' end)
as severity, count(*) as count from $log where $filter and subtype='system' group
by msg_desc, severity order by count desc)### t where severity='Medium' group by
msg, severity order by counts desc
Dataset Name Description Log Category

utm-drilldown-Top-Traffic-Summary UTM drilldown traffic summary traffic

select
srcip,
srcname
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, srcip, srcname from $log where $filter and logid_to_int(logid) not in (4, 7,
14) group by user_src, srcip, srcname)### t where $filter-drilldown group by srcip,
srcname
Dataset Name Description Log Category

utm-drilldown-Top-User-Destination UTM drilldown top user destination traffic

select
appid,
app,
dstip,
sum(sessions) as sessions,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, appid, app, dstip, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter and logid_to_int(logid) not in
(4, 7, 14) and dstip is not null and nullifna(app) is not null group by user_src,
appid, app, dstip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order
by bandwidth desc)### t where $filter-drilldown group by appid, app, dstip order by
bandwidth desc
Dataset Name Description Log Category

utm-drilldown-Email-Senders-Summary UTM drilldown email senders summary traffic

select
sum(requests) as requests,
sum(bandwidth) as bandwidth
from

47 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_

src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
as bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group
by user_src, sender order by requests desc)### t where $filter-drilldown
Dataset Name Description Log Category

utm-drilldown-Email-Receivers-Sum- UTM drilldown email receivers summary traffic

mary

select
sum(requests) as requests,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7, 14)
and recipient is not null and service in ('pop3', 'POP3', '110/tcp', 'imap',
'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group
by user_src, recipient order by requests desc)### t where $filter-drilldown
Dataset Name Description Log Category

utm-drilldown-Top-Email-Recipients-By- UTM drilldown top email recipients traffic

Bandwidth

select
recipient,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, recipient, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7, 14)
and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps',
'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') group by user_src, recipient order
by requests desc)### t where $filter-drilldown and recipient is not null group by
recipient having sum(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

utm-drilldown-Top-Email-Senders-By- UTM drilldown top email senders traffic

Bandwidth

select
sender,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, sender, count(*) as requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
as bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and
service in ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') group
by user_src, sender order by requests desc)### t where $filter-drilldown and sender
is not null group by sender having sum(bandwidth)>0 order by bandwidth desc

Dataset Reference 48
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

utm-drilldown-Top-Allowed-Websites- UTM drilldown top allowed web sites by bandwidth traffic

By-Bandwidth

select
appid,
hostname,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, appid, hostname, (case when utmaction='blocked' then 1 else 0 end) as blocked,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic
where $filter and logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and
countweb>0) or ((logver is null) and utmevent in ('webfilter', 'banned-word', 'web-
content', 'command-block', 'script-filter'))) and hostname is not null group by
user_src, appid, hostname, blocked order by bandwidth desc)### t where $filter-
drilldown and blocked=0 group by appid, hostname order by bandwidth desc
Dataset Name Description Log Category

utm-drilldown-Top-Blocked-Websites- UTM drilldown top blocked web sites by request traffic

By-Request

select
appid,
hostname,
sum(requests) as requests
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, appid, hostname, (case when utmaction='blocked' then 1 else 0 end) as
blocked, count(*) as requests from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-
content', 'command-block', 'script-filter') and hostname is not null group by
user_src, appid, hostname, blocked order by requests desc)### union all ###
(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, 0 as appid,
hostname, (case when action='blocked' then 1 else 0 end) as blocked, count(*) as
requests from $log-webfilter where $filter and (eventtype is null or logver>=52)
and hostname is not null group by user_src, appid, hostname, blocked order by
requests desc)###) t where $filter-drilldown and blocked=1 group by appid,
hostname order by requests desc
Dataset Name Description Log Category

utm-drilldown-Top-Virus-By-Name UTM drilldown top virus traffic

select
virus,
sum(totalnum) as totalnum
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, virus, count(*) as totalnum from $log-traffic where $filter and logid_
to_int(logid) not in (4, 7, 14) and utmevent is not null and virus is not null
group by user_src, virus order by totalnum desc)### union all ###(select
coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as

49 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

totalnum from $log-virus where $filter and (eventtype is null or logver>=52) and
nullifna(virus) is not null group by user_src, virus order by totalnum desc)###)
t where $filter-drilldown group by virus order by totalnum desc
Dataset Name Description Log Category

utm-drilldown-Top-Attacks UTM drilldown top attacks by name attack

select
attack,
sum(attack_count) as attack_count
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, count(*) as
attack_count from $log where $filter and nullifna(attack) is not null group by
user_src, attack order by attack_count desc)### t where $filter-drilldown group by
attack order by attack_count desc
Dataset Name Description Log Category

utm-drilldown-Top-Vulnerability UTM drilldown top vulnerability by name netscan

select
vuln,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, vuln, count(*) as
totalnum from $log where $filter and action='vuln-detection' and vuln is not null
group by user_src, vuln order by totalnum desc)### t where $filter-drilldown group
by vuln order by totalnum desc
Dataset Name Description Log Category

utm-drilldown-Top-App-By-Bandwidth UTM drilldown top applications by bandwidth usage traffic

select
appid,
app,
sum(bandwidth) as bandwidth
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, appid, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,
count(*) as sessions from $log where $filter and logid_to_int(logid) not in (4, 7,
14) and nullifna(app) is not null group by user_src, appid, app order by sessions
desc)### t where $filter-drilldown group by appid, app having sum(bandwidth)>0
order by bandwidth desc
Dataset Name Description Log Category

utm-drilldown-Top-App-By-Sessions UTM drilldown top applications by session count traffic

select
appid,
app,
sum(sessions) as sessions
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as user_
src, appid, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,
count(*) as sessions from $log where $filter and logid_to_int(logid) not in (4, 7,

Dataset Reference 50
Fortinet, Inc.
Dataset Reference List Log Database Tables

14) and nullifna(app) is not null group by user_src, appid, app order by sessions
desc)### t where $filter-drilldown group by appid, app order by sessions desc
Dataset Name Description Log Category

Top5-Users-By-Bandwidth UTM drilldown top users by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as dldn_user,
count(*) as session,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
dldn_user
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Top-App-By-Bandwidth- Top applications by bandwidth usage traffic

Sessions

select
app_group_name(app) as app_group,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where

51 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
app_group
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Category-By-Bandwidth Application risk application usage by category traffic

select
appcat,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(appcat) is not null
group by
appcat
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Top-Users-By-Band- Bandwidth application top users by bandwidth usage traffic

width-Sessions

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter

Dataset Reference 52
Fortinet, Inc.
Dataset Reference List Log Database Tables

and logid_to_int(logid) not in (4, 7, 14)

group by
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Traffic-By-Active-User- Bandwidth application traffic by active user number traffic

Number

select
hodex,
count(
distinct(user_src)
) as total_user
from
###(select $flex_timescale as hodex, coalesce(nullifna(`user`), nullifna(`unauthuser`),
ipstr(`srcip`)) as user_src from $log where $filter and logid_to_int(logid) not in
(4, 7, 14) group by hodex, user_src order by hodex)### t group by hodex order by
hodex
Dataset Name Description Log Category

bandwidth-app-Top-Dest-By-Band- Bandwidth application top dest by bandwidth usage traffic

width-Sessions sessions

select
coalesce(
nullifna(
root_domain(hostname)
),
ipstr(`dstip`)
) as domain,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
appid,
domain
having

53 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Top-Policies-By-Band- Top policies by bandwidth and sessions traffic

width-Sessions

select
coalesce(
cast(poluuid as text),
cast(policyid as text)
) as polid,
sum(
coalesce(rcvdbyte, 0) + coalesce(sentbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
polid
order by
bandwidth desc
Dataset Name Description Log Category

bandwidth-app-Traffic-Statistics Bandwidth application traffic statistics traffic

drop
table if exists stats_temp; create temporary table stats_temp(
total_sessions varchar(255),
total_bandwidth varchar(255),
ave_session varchar(255),
ave_bandwidth varchar(255),
active_date varchar(255),
total_users varchar(255),
total_app varchar(255),
total_dest varchar(255)
); insert into stats_temp (
total_sessions, total_bandwidth,
ave_session, ave_bandwidth
)
select
format_numeric_no_decimal(
sum(sessions)

Dataset Reference 54
Fortinet, Inc.
Dataset Reference List Log Database Tables

) as total_sessions,
bandwidth_unit(
sum(bandwidth)
) as total_bandwidth,
format_numeric_no_decimal(
cast(
sum(sessions)/ $days_num as decimal(18, 0)
)
) as ave_session,
bandwidth_unit(
cast(
sum(bandwidth)/ $days_num as decimal(18, 0)
)
) as ave_bandwidth
from
###(select count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth from $log where $filter and logid_to_int(logid) not in (4, 7, 14))### t;
update stats_temp set active_date=t1.dom from (select dom, sum(sessions) as
sessions from ###(select $DAY_OF_MONTH as dom, count(*) as sessions from $log where
$filter and logid_to_int(logid) not in (4, 7, 14) group by dom order by
sessions)### t group by dom order by sessions desc limit 1) as t1; update stats_
temp set total_users=t2.totalnum from (select format_numeric_no_decimal(count
(distinct(user_src))) as totalnum from ###(select distinct(coalesce(nullifna
(`user`), nullifna(`unauthuser`), ipstr(`srcip`))) as user_src from $log where
$filter and logid_to_int(logid) not in (4, 7, 14))### t ) as t2; update stats_temp
set total_app=t3.totalnum from (select format_numeric_no_decimal(count(distinct
(app_group_name(app)))) as totalnum from ###(select distinct(app_group_name(app))
as app from $log where $filter and logid_to_int(logid) not in (4, 7, 14))### t ) as
t3; update stats_temp set total_dest=t4.totalnum from (select format_numeric_no_
decimal(count(distinct(dstip))) as totalnum from ###(select distinct(dstip) as
dstip from $log where $filter and logid_to_int(logid) not in (4, 7, 14))### t ) as
t4; select 'Total Sessions' as summary, total_sessions as stats from stats_temp
union all select 'Total Bytes Transferred' as summary, total_bandwidth as stats
from stats_temp union all select 'Most Active Date By Sessions' as summary, active_
date as stats from stats_temp union all select 'Total Users' as summary, total_
users as stats from stats_temp union all select 'Total Applications' as summary,
total_app as stats from stats_temp union all select 'Total Destinations' as
summary, total_dest as stats from stats_temp union all select 'Average Sessions Per
Day' as summary, ave_session as stats from stats_temp union all select 'Average
Bytes Per Day' as summary, ave_bandwidth as stats from stats_temp
Dataset Name Description Log Category

Score-Summary-For-All-Users-Devices Reputation score summary for all users devices traffic

select
$flex_timescale as hodex,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
hodex
having
sum(crscore % 65536)> 0
order by

55 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

hodex
Dataset Name Description Log Category

Number-Of-Incidents-For-All-Users- Reputation number of incidents for all users devices traffic

Devices

select
$flex_timescale as hodex,
sum(crscore % 65536) as scores,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
hodex
having
sum(crscore % 65536)> 0
order by
hodex
Dataset Name Description Log Category

Top-Users-By-Reputation-Scores Reputation top users by scores traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
user_src
having
sum(crscore % 65536)> 0
order by
scores desc
Dataset Name Description Log Category

Top-Devices-By-Reputation-Scores Reputation top devices by scores traffic

select
devtype,
coalesce(
nullifna(`srcname`),
nullifna(`srcmac`),

Dataset Reference 56
Fortinet, Inc.
Dataset Reference List Log Database Tables

ipstr(`srcip`)
) as dev_src,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
devtype,
dev_src
having
sum(crscore % 65536)> 0
order by
scores desc
Dataset Name Description Log Category

Top-Users-With-Increased-Scores Reputation top users with increased scores traffic

drop
table if exists prd1_usr_tbl;
drop
table if exists prd2_usr_tbl; create temporary table prd1_usr_tbl as ###(select
coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as f_user, sum
(crscore%65536) as sum_rp_score from $log where $pre_period $filter and logid_to_
int(logid) not in (4, 7, 14) and crscore is not null group by f_user having sum
(crscore%65536)>0 order by sum_rp_score desc)###; create temporary table prd2_usr_
tbl as ###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as f_user, sum(crscore%65536) as sum_rp_score from $log where $filter
and logid_to_int(logid) not in (4, 7, 14) and crscore is not null group by f_user
having sum(crscore%65536)>0 order by sum_rp_score desc)###; select t1.f_user, sum
(t1.sum_rp_score) as t1_sum_score, sum(t2.sum_rp_score) as t2_sum_score, (sum
(t2.sum_rp_score)-sum(t1.sum_rp_score)) as delta from prd1_usr_tbl as t1 inner join
prd2_usr_tbl as t2 on t1.f_user=t2.f_user where t2.sum_rp_score > t1.sum_rp_score
group by t1.f_user order by delta desc
Dataset Name Description Log Category

Top-Devices-With-Increased-Scores Reputation top devices with increased scores traffic

drop
table if exists prd1_dev_tbl;
drop
table if exists prd2_dev_tbl; create temporary table prd1_dev_tbl as ###(select
coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) as f_device,
devtype, sum(crscore%65536) as sum_rp_score from $log where $pre_period $filter and
logid_to_int(logid) not in (4, 7, 14) and crscore is not null group by f_device,
devtype having sum(crscore%65536)>0 order by sum_rp_score desc)###; create
temporary table prd2_dev_tbl as ###(select coalesce(nullifna(`srcname`),nullifna
(`srcmac`), ipstr(`srcip`)) as f_device, devtype, sum(crscore%65536) as sum_rp_
score from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and crscore
is not null group by f_device, devtype having sum(crscore%65536)>0 order by sum_rp_
score desc)###; select t1.f_device, t1.devtype , sum(t1.sum_rp_score) as t1_sum_
score, sum(t2.sum_rp_score) as t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_
score)) as delta from prd1_dev_tbl as t1 inner join prd2_dev_tbl as t2 on t1.f_
device=t2.f_device and t1.devtype=t2.devtype where t2.sum_rp_score > t1.sum_rp_
score group by t1.f_device, t1.devtype order by delta desc

57 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Attacks-By-Severity Threat attacks by severity attack

select
(
case when severity = 'critical' then 'Critical' when severity = 'high' then 'High'
when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when
severity = 'info' then 'Info' end
) as severity,
count(*) as totalnum
from
$log
where
$filter
group by
severity
order by
totalnum desc
Dataset Name Description Log Category

Top-Attacks-Detected Threat top attacks detected attack

select
attack,
severity,
sum(attack_count) as attack_count
from
###(select attack, severity, (case when severity = 'critical' then 1 when severity =
'high' then 2 when severity = 'medium' then 3 when severity = 'low' then 4 else 5
end) as severity_level, count(*) as attack_count from $log where $filter and
nullifna(attack) is not null group by attack, severity, severity_level order by
severity_level, attack_count desc)### t group by attack, severity, severity_level
order by severity_level, attack_count desc
Dataset Name Description Log Category

Top-Attacks-Blocked Threat top attacks blocked attack

select
attack,
count(*) as attack_count
from
$log
where
$filter
and nullifna(attack) is not null
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack
order by
attack_count desc

Dataset Reference 58
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

Top-Virus-Source Threat top virus source traffic

select
srcip,
hostname,
sum(totalnum) as totalnum
from
(
###(select srcip, hostname, count(*) as totalnum from $log-traffic where $filter and
logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and virus is not
null group by srcip, hostname order by totalnum desc)### union all ###(select
srcip , ipstr(`dstip`) as hostname, count(*) as totalnum from $log-virus where
$filter and (eventtype is null or logver>=52) and nullifna(virus) is not null
group by srcip, hostname order by totalnum desc)###) t group by srcip, hostname
order by totalnum desc
Dataset Name Description Log Category

Intrusion-in-Last-7-Days Threat intrusion timeline attack

select
$flex_timescale as hodex,
count(*) as totalnum
from
$log
where
$filter
group by
hodex
order by
hodex
Dataset Name Description Log Category

Virus-Time-Line Threat virus timeline virus

select
hodex,
sum(totalnum) as totalnum
from
(
###(select $flex_timescale as hodex, count(*) as totalnum from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and
virus is not null group by hodex order by hodex desc)### union all ###(select
$flex_timescale as hodex, count(*) as totalnum from $log-virus where $filter and
(eventtype is null or logver>=52) and nullifna(virus) is not null group by hodex
order by hodex desc)###) t group by hodex order by hodex desc
Dataset Name Description Log Category

Top-Spyware-Victims Threat top spyware victims virus

select
user_src,

59 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as
totalnum from $log where $filter group by user_src, virus order by totalnum
desc)### t where virus like 'Riskware%' group by user_src order by totalnum desc
Dataset Name Description Log Category

Top-Spyware-by-Name Threat top spyware by name virus

select
virus,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as
totalnum from $log where $filter group by user_src, virus order by totalnum
desc)### t where virus like 'Riskware%' group by virus order by totalnum desc
Dataset Name Description Log Category

Top-Spyware-Source Threat top spyware source traffic

select
srcip,
hostname,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and virus like 'Riskware%'
group by
srcip,
hostname
order by
totalnum desc
Dataset Name Description Log Category

Spyware-Time-Line Threat spyware timeline virus

select
$flex_timescale as hodex,
count(*) as totalnum
from
$log
where
$filter
and virus like 'Riskware%'
group by
hodex
order by
hodex desc

Dataset Reference 60
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

Top-Adware-Victims Threat top adware victims virus

select
user_src,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as
totalnum from $log where $filter group by user_src, virus order by totalnum
desc)### t where virus like 'Adware%' group by user_src order by totalnum desc
Dataset Name Description Log Category

Top-Adware-by-Name Threat top adware by name virus

select
virus,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as
totalnum from $log where $filter group by user_src, virus order by totalnum
desc)### t where virus like 'Adware%' group by virus order by totalnum desc
Dataset Name Description Log Category

Top-Adware-Source Threat top adware source traffic

select
srcip,
hostname,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and virus like 'Adware%'
group by
srcip,
hostname
order by
totalnum desc
Dataset Name Description Log Category

Adware-Time-Line Threat adware timeline virus

select
$flex_timescale as hodex,
count(*) as totalnum
from
$log
where
$filter
and virus like 'Adware%'

61 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

group by
hodex
order by
hodex desc
Dataset Name Description Log Category

Intrusions-Timeline-By-Severity Threat intrusions timeline by severity attack

select
$flex_timescale as timescale,
(
case when severity = 'critical' then 'Critical' when severity = 'high' then 'High'
when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when
severity = 'info' then 'Info' end
) as severity,
count(*) as totalnum
from
$log
where
$filter
group by
timescale,
severity
order by
timescale
Dataset Name Description Log Category

Top-Intrusions-By-Types Threat top intrusions by types attack

select
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and vuln_type is not null
group by
vuln_type
order by
totalnum desc
Dataset Name Description Log Category

Critical-Severity-Intrusions Threat critical severity intrusions attack

select
attack,
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where

Dataset Reference 62
Fortinet, Inc.
Dataset Reference List Log Database Tables

$filter
and t1.severity = 'critical'
group by
attack,
vuln_type
order by
totalnum desc
Dataset Name Description Log Category

High-Severity-Intrusions Threat high severity intrusions attack

select
attack,
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and t1.severity = 'high'
group by
attack,
vuln_type
order by
totalnum desc
Dataset Name Description Log Category

Medium-Severity-Intrusions Threat medium severity intrusions attack

select
attack,
vuln_type,
count(*) as totalnum
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and t1.severity = 'medium'
group by
attack,
vuln_type
order by
totalnum desc
Dataset Name Description Log Category

Low-Severity-Intrusions Threat low severity intrusions attack

select
attack,
vuln_type,
count(*) as totalnum
from

63 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and t1.severity = 'low'
group by
attack,
vuln_type
order by
totalnum desc
Dataset Name Description Log Category

Top-Intrusion-Victims Threat top intrusion victims attack

select
victim,
sum(cri_num) as critical,
sum(high_num) as high,
sum(med_num) as medium,
sum(cri_num + high_num + med_num) as totalnum
from
###(select dstip as victim, sum((case when severity='critical' then 1 else 0 end)) as
cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case
when severity='medium' then 1 else 0 end) as med_num from $log where $filter and
severity in ('critical', 'high', 'medium') group by victim)### t group by victim
order by totalnum desc
Dataset Name Description Log Category

Top-Intrusion-Sources Threat top intrusion sources attack

select
source,
sum(cri_num) as critical,
sum(high_num) as high,
sum(med_num) as medium,
sum(cri_num + high_num + med_num) as totalnum
from
###(select srcip as source, sum(case when severity='critical' then 1 else 0 end) as
cri_num, sum(case when severity='high' then 1 else 0 end) as high_num, sum(case
when severity='medium' then 1 else 0 end) as med_num from $log where $filter and
severity in ('critical', 'high', 'medium') group by source)### t group by source
order by totalnum desc
Dataset Name Description Log Category

Top-Blocked-Intrusions Threat top blocked intrusions attack

select
attack,
(
case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then
'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then
'Low' when t1.severity = 'info' then 'Info' end
) as severity_name,
count(*) as totalnum,
vuln_type,

Dataset Reference 64
Fortinet, Inc.
Dataset Reference List Log Database Tables

(
case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when
t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity =
'info' then 4 else 5 end
) as severity_number
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and nullifna(attack) is not null
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack,
t1.severity,
vuln_type
order by
severity_number,
totalnum desc
Dataset Name Description Log Category

Top-Monitored-Intrusions Threat top monitored intrusions attack

select
attack,
(
case when t1.severity = 'critical' then 'Critical' when t1.severity = 'high' then
'High' when t1.severity = 'medium' then 'Medium' when t1.severity = 'low' then
'Low' when t1.severity = 'info' then 'Info' end
) as severity_name,
count(*) as totalnum,
vuln_type,
(
case when t1.severity = 'critical' then 0 when t1.severity = 'high' then 1 when
t1.severity = 'medium' then 2 when t1.severity = 'low' then 3 when t1.severity =
'info' then 4 else 5 end
) as severity_number
from
$log t1
left join ips_mdata t2 on t1.attack = t2.name
where
$filter
and nullifna(attack) is not null
and action not in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
attack,
t1.severity,
vuln_type
order by
severity_number,
totalnum desc

65 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Attacks-Over-HTTP-HTTPs Threat attacks over HTTP HTTPs attack

select
attack,
(
case when severity = 'critical' then 'Critical' when severity = 'high' then 'High'
when severity = 'medium' then 'Medium' when severity = 'low' then 'Low' when
severity = 'info' then 'Info' end
) as severity,
count(*) as totalnum,
(
case when severity = 'critical' then 0 when severity = 'high' then 1 when severity =
'medium' then 2 when severity = 'low' then 3 when severity = 'info' then 4 else
5 end
) as severity_number
from
$log
where
$filter
and severity in ('critical', 'high', 'medium')
and upper(service) in ('HTTP', 'HTTPS')
group by
attack,
severity,
severity_number
order by
severity_number,
totalnum desc
Dataset Name Description Log Category

default-AP-Detection-Summary-by- Default access point detection summary by status off- event

Status-OffWire wire

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed'
else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter
and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by
apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid,
ssid) t group by ap_full_status order by totalnum desc

Dataset Reference 66
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

default-AP-Detection-Summary-by- Default access point detection summary by status off- event

Status-OffWire_table wire

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed'
else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter
and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='no' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by
apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid,
ssid) t group by ap_full_status order by totalnum desc
Dataset Name Description Log Category

default-AP-Detection-Summary-by- Default access point detection summary by status on- event

Status-OnWire wire

select
(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed'
else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter
and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by
apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid,
ssid) t group by ap_full_status order by totalnum desc
Dataset Name Description Log Category

default-AP-Detection-Summary-by- Default access point detection summary by status on- event

Status-OnWire_table wire

select

67 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

(
case apstatus when 1 then 'rogue' when 2 then 'accepted' when 3 then 'suppressed'
else 'others' end
) as ap_full_status,
count(*) as totalnum
from
(
select
apstatus,
bssid,
ssid
from
###(select apstatus, bssid, ssid, count(*) as subtotal from $log where $filter
and apstatus is not null and apstatus!=0 and bssid is not null and
onwire='yes' and logid_to_int(logid) in (43527, 43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group by
apstatus, bssid, ssid order by subtotal desc)### t group by apstatus, bssid,
ssid) t group by ap_full_status order by totalnum desc
Dataset Name Description Log Category

default-Managed-AP-Summary Default managed access point summary event

select
(
case when (
action like '%join%'
and logid_to_int(logid) in (43522, 43551)
) then 'Authorized' else 'Unauthorized' end
) as ap_status,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) in (43522, 43551)
group by
ap_status
order by
totalnum desc
Dataset Name Description Log Category

default-Managed-AP-Summary_table Default managed access point summary event

select
(
case when (
action like '%join%'
and logid_to_int(logid) in (43522, 43551)
) then 'Authorized' else 'Unauthorized' end
) as ap_status,
count(*) as totalnum
from
$log
where
$filter

Dataset Reference 68
Fortinet, Inc.
Dataset Reference List Log Database Tables

and logid_to_int(logid) in (43522, 43551)

group by
ap_status
order by
totalnum desc
Dataset Name Description Log Category

default-Unclassified-AP-Summary Default unclassified access point summary event

select
(
case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
) as ap_status,
count(*) as totalnum
from
###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and
apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527,
43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group
by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by
totalnum desc
Dataset Name Description Log Category

default-Unclassified-AP-Summary_ Default unclassified access point summary event

table

select
(
case onwire when 'no' then 'off-wire' when 'yes' then 'on-wire' else 'others' end
) as ap_status,
count(*) as totalnum
from
###(select onwire, ssid, bssid, count(*) as subtotal from $log where $filter and
apstatus=0 and bssid is not null and logid_to_int(logid) in (43521, 43525, 43527,
43563, 43564, 43565, 43566, 43569, 43570, 43571, 43582, 43583, 43584, 43585) group
by onwire, ssid, bssid order by subtotal desc)### t group by ap_status order by
totalnum desc
Dataset Name Description Log Category

default-selected-AP-Details-OffWire Default selected access point details off-wire event

select
(
case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted'
when 3 then 'suppressed' else 'others' end
) as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
from_dtime(

69 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

min(dtime)
) as first_seen,
from_dtime(
max(dtime)
) as last_seen,
detectionmethod,
itime,
onwire as on_wire
from
$log
where
$filter
and apstatus is not null
and bssid is not null
and onwire = 'no'
and logid_to_int(logid) in (
43521, 43563, 43564, 43565, 43566, 43569,
43570, 43571
)
group by
ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus
Dataset Name Description Log Category

default-selected-AP-Details-OnWire Default selected access point details on-wire event

select
(
case apstatus when 0 then 'unclassified' when 1 then 'rogue' when 2 then 'accepted'
when 3 then 'suppressed' else 'others' end
) as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
from_dtime(
min(dtime)
) as first_seen,
from_dtime(
max(dtime)
) as last_seen,

Dataset Reference 70
Fortinet, Inc.
Dataset Reference List Log Database Tables

detectionmethod,
itime,
onwire as on_wire
from
$log
where
$filter
and apstatus is not null
and bssid is not null
and onwire = 'yes'
and logid_to_int(logid) in (
43521, 43563, 43564, 43565, 43566, 43569,
43570, 43571
)
group by
ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
rssi,
channel,
radioband,
detectionmethod,
itime,
onwire,
apstatus
Dataset Name Description Log Category

event-Wireless-Client-Details Event wireless client details event

drop
table if exists ip_list; create temporary table ip_list as
select
ip,
lower(mac) as lmac,
sn,
ssid,
channel,
radioband,
min(dtime) as first,
max(dtime) as last
from
$log - event
where
$filter
and ip is not null
and mac is not null
and sn is not null
and ssid is not null
group by
ip,
lmac,
sn,
ssid,

71 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

channel,
radioband
order by
ip;
select
user_src,
ip,
lmac,
sn,
ssid,
channel,
radioband,
from_dtime(first) as first_seen,
from_dtime(last) as last_seen,
cast(
volume as decimal(18, 2)
) as bandwidth
from
(
select
*
from
ip_list
inner join (
select
user_src,
srcip,
sum(volume) as volume
from
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as volume from $log-traffic where $filter-time and logid_
to_int(logid) not in (4, 7, 14) and srcip is not null group by user_src,
srcip having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by
volume desc)### t group by user_src, srcip order by user_src, srcip) t
on ip_list.ip = t.srcip) t order by volume desc
Dataset Name Description Log Category

event-Wireless-Accepted-Offwire Event wireless accepted off-wire event

select
'accepted' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from

Dataset Reference 72
Fortinet, Inc.
Dataset Reference List Log Database Tables

###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,

snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter
and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen
desc)### t where apstatus=2 and onwire='no' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Accepted-Onwire Event wireless accepted on-wire event

select
'accepted' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565,
43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, apstatus order by last_seen desc)###
t where apstatus=2 and onwire='yes' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Rogue-Offwire Event wireless rogue off-wire event

select
'rogue' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter

73 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen
desc)### t where apstatus=1 and onwire='no' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Rogue-Onwire Event wireless rogue on-wire event

select
'rogue' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565,
43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, apstatus order by last_seen desc)###
t where apstatus=1 and onwire='yes' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Suppressed-Offwire Event wireless suppressed off-wire event

select
'suppressed' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter
and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,

Dataset Reference 74
Fortinet, Inc.
Dataset Reference List Log Database Tables

radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen

desc)### t where apstatus=3 and onwire='no' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Suppressed-Onwire Event wireless suppressed on-wire event

select
'suppressed' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565,
43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, apstatus order by last_seen desc)###
t where apstatus=3 and onwire='yes' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Unclassified-Offwire Event wireless unclassified off-wire event

select
'unclassified' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'no' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, logid, apstatus, max(dtime) as last_seen from $log where $filter
and bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564,
43565, 43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, logid, apstatus order by last_seen

75 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

desc)### t where apstatus=0 and onwire='no' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

event-Wireless-Unclassified-Onwire Event wireless unclassified on-wire event

select
'unclassified' as ap_full_status,
devid,
vd,
ssid,
bssid,
manuf,
channel,
radioband,
from_dtime(
max(last_seen)
) as last_seen,
detectionmethod,
snclosest,
'yes' as on_wire
from
###(select devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod,
snclosest, onwire, apstatus, max(dtime) as last_seen from $log where $filter and
bssid is not null and logid_to_int(logid) in (43521, 43525, 43563, 43564, 43565,
43566, 43569, 43570, 43571) group by devid, vd, ssid, bssid, manuf, channel,
radioband, detectionmethod, snclosest, onwire, apstatus order by last_seen desc)###
t where apstatus=0 and onwire='yes' group by devid, vd, ssid, bssid, manuf,
channel, radioband, detectionmethod, snclosest order by last_seen desc
Dataset Name Description Log Category

default-Top-IPSEC-Vpn-Dial-Up-User- Default top IPsec VPN dial up user by bandwidth event

By-Bandwidth usage

select
coalesce(
xauthuser_agg,
user_agg,
ipstr(`remip`)
) as user_src,
from_dtime(
min(s_time)
) as start_time,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
(
select
devid,
vd,
string_agg(distinct xauthuser_agg, ' ') as xauthuser_agg,
string_agg(distinct user_agg, ' ') as user_agg,
remip,
tunnelid,

Dataset Reference 76
Fortinet, Inc.
Dataset Reference List Log Database Tables

min(s_time) as s_time,
max(e_time) as e_time,
(
case when min(s_time)= max(e_time) then max(max_traffic_in)+ max(max_traffic_
out) else max(max_traffic_in)- min(min_traffic_in)+ max(max_traffic_out)-
min(min_traffic_out) end
) as bandwidth,
(
case when min(s_time)= max(e_time) then max(max_traffic_in) else max(max_
traffic_in)- min(min_traffic_in) end
) as traffic_in,
(
case when min(s_time)= max(e_time) then max(max_traffic_out) else max(max_
traffic_out)- min(min_traffic_out) end
) as traffic_out
from
###(select devid, vd, nullifna(`xauthuser`) as xauthuser_agg, nullifna(`user`) as
user_agg, remip, tunnelid, min(coalesce(dtime, 0)) as s_time, max(coalesce
(dtime, 0)) as e_time, min(coalesce(sentbyte, 0)) as min_traffic_out, min
(coalesce(rcvdbyte, 0)) as min_traffic_in, max(coalesce(sentbyte, 0)) as max_
traffic_out, max(coalesce(rcvdbyte, 0)) as max_traffic_in from $log where
$filter and subtype='vpn' and tunneltype like 'ipsec%' and not (tunnelip is
null or (tunnelip='0.0.0.0' and logver is null)) and action in ('tunnel-
stats', 'tunnel-down', 'tunnel-up') and tunnelid is not null group by devid,
vd, xauthuser_agg, user_agg, remip, tunnelid order by tunnelid)### t group by
devid, vd, remip, tunnelid) tt group by user_src having sum(bandwidth)>0
order by bandwidth desc
Dataset Name Description Log Category

default-Top-Sources-Of-SSL-VPN-Tun- Default top sources of SSL VPN tunnels by bandwidth event

nels-By-Bandwidth usage

select
remip as remote_ip,
sum(traffic_in + traffic_out) as bandwidth
from
(
select
devid,
vd,
remip,
tunnelid,
max(traffic_in) as traffic_in,
max(traffic_out) as traffic_out
from
###(select devid, vd, remip, tunnelid, max(coalesce(sentbyte, 0)) as traffic_out,
max(coalesce(rcvdbyte, 0)) as traffic_in from $log where $filter and
subtype='vpn' and tunneltype like 'ssl%' and action in ('tunnel-stats',
'tunnel-down') and remip is not null and tunnelid is not null group by devid,
vd, remip, tunnelid order by tunnelid)### t group by devid, vd, remip,
tunnelid) tt group by remote_ip having sum(traffic_in+traffic_out)>0 order by
bandwidth desc
Dataset Name Description Log Category

webfilter-Web-Activity-Summary-By- Webfilter web activity summary by requests webfilter

Requests

77 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

select
hodex,
sum(allowed_request) as allowed_request,
sum(blocked_request) as blocked_request
from
(
###(select $flex_timescale as hodex, sum(case when utmaction!='blocked' then 1 else
0 end) as allowed_request, sum(case when utmaction='blocked' then 1 else 0 end)
as blocked_request from $log-traffic where $filter and logid_to_int(logid) not
in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter') group by hodex order by hodex)### union all
###(select $flex_timescale as hodex, sum(case when action!='blocked' then 1 else
0 end) as allowed_request, sum(case when action='blocked' then 1 else 0 end) as
blocked_request from $log-webfilter where $filter and (eventtype is null or
logver>=52) group by hodex order by hodex)###) t group by hodex order by hodex
Dataset Name Description Log Category

traffic-Browsing-Time-Summary Traffic browsing time summary traffic

select
hodex,
cast(
sum(delta)/ 60.0 as decimal(18, 2)
) as browsetime
from
###(select $flex_timescale as hodex, sum($browse_time) as delta from $log where $filter
and logid_to_int(logid) not in (4, 7, 14) group by hodex having sum($browse_time)>0
order by delta desc)### t group by hodex order by hodex
Dataset Name Description Log Category

traffic-Browsing-Time-Summary- Traffic browsing time summary enhanced traffic

Enhanced

select
hodex,
cast(
sum(delta)/ 60.0 as decimal(18, 2)
) as browsetime
from
###(select $flex_timescale as hodex, sum($browse_time2) as delta from $log where
$filter and logid_to_int(logid) not in (4, 7, 14) group by hodex having sum
($browse_time2)>0 order by delta desc)### t group by hodex order by hodex
Dataset Name Description Log Category

webfilter-Top-Web-Users-By-Blocked- Webfilter top web users by blocked requests webfilter

Requests

select
user_src,
sum(requests) as requests
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, count(*) as requests from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-

Dataset Reference 78
Fortinet, Inc.
Dataset Reference List Log Database Tables

content', 'command-block', 'script-filter') and coalesce(nullifna(`user`),

nullifna(`unauthuser`), ipstr(`srcip`)) is not null and utmaction='blocked'
group by user_src order by requests desc)### union all ###(select coalesce
(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-
webfilter where $filter and (eventtype is null or logver>=52) and coalesce
(nullifna(`user`), ipstr(`srcip`)) is not null and action='blocked' group by
user_src order by requests desc)###) t group by user_src order by requests desc
Dataset Name Description Log Category

webfilter-Top-Web-Users-By-Allowed- Webfilter top web users by allowed requests webfilter

Requests

select
user_src,
sum(requests) as requests
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, count(*) as requests from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-
content', 'command-block', 'script-filter') and coalesce(nullifna(`user`),
nullifna(`unauthuser`), ipstr(`srcip`)) is not null and utmaction!='blocked'
group by user_src order by requests desc)### union all ###(select coalesce
(nullifna(`user`), ipstr(`srcip`)) as user_src, count(*) as requests from $log-
webfilter where $filter and (eventtype is null or logver>=52) and coalesce
(nullifna(`user`), ipstr(`srcip`)) is not null and action!='blocked' group by
user_src order by requests desc)###) t group by user_src order by requests desc
Dataset Name Description Log Category

traffic-Top-Web-Users-By-Browsing- Traffic top web users by browsing time traffic

Time

select
user_src,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, sum($browse_time) as
delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce
(rcvdbyte, 0)) as traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log
where $filter group by user_src having sum($browse_time)>0 order by delta desc)###
t group by user_src order by browsetime desc
Dataset Name Description Log Category

webfilter-Top-Blocked-Web-Sites-By- Webfilter top blocked web sites by requests webfilter

Requests

select
domain,
catdesc,
sum(requests) as requests
from
(

79 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

###(select hostname as domain, catdesc, count(*) as requests from $log-traffic where

$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is
not null and utmaction='blocked' group by domain, catdesc order by requests
desc)### union all ###(select hostname as domain, catdesc, count(*) as requests
from $log-webfilter where $filter and (eventtype is null or logver>=52) and
hostname is not null and catdesc is not null and action='blocked' group by
domain, catdesc order by requests desc)###) t group by domain, catdesc order by
requests desc
Dataset Name Description Log Category

webfilter-Top-Allowed-Web-Sites-By- Webfilter top allowed web sites by requests webfilter

Requests

select
domain,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(requests) as requests
from
(
###(select hostname as domain, catdesc, count(*) as requests from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter') and hostname is
not null and utmaction!='blocked' group by domain, catdesc order by requests
desc)### union all ###(select hostname as domain, catdesc, count(*) as requests
from $log-webfilter where $filter and (eventtype is null or logver>=52) and
hostname is not null and catdesc is not null and action!='blocked' group by
domain, catdesc order by requests desc)###) t group by domain order by requests
desc
Dataset Name Description Log Category

webfilter-Top-Video-Streaming-Web- Webfilter top video streaming websites by bandwidth webfilter

sites-By-Bandwidth usage

select
domain,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select coalesce(nullifna(root_domain(hostname)), 'other') as domain, sum(coalesce
(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as
traffic_in, sum(coalesce(sentbyte, 0)) as traffic_out from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0)
or ((logver is null) and utmevent in ('webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter'))) and catdesc in ('Streaming Media and Download')
group by domain having sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by
bandwidth desc)### t group by domain order by bandwidth desc
Dataset Name Description Log Category

webfilter-Top-Blocked-Web-Categories Webfilter top blocked web categories webfilter

select
catdesc,
sum(requests) as requests

Dataset Reference 80
Fortinet, Inc.
Dataset Reference List Log Database Tables

from
(
###(select catdesc, count(*) as requests from $log-traffic where $filter and logid_
to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word',
'web-content', 'command-block', 'script-filter') and catdesc is not null and
utmaction='blocked' group by catdesc order by requests desc)### union all ###
(select catdesc, count(*) as requests from $log-webfilter where $filter and
(eventtype is null or logver>=52) and catdesc is not null and action='blocked'
group by catdesc order by requests desc)###) t group by catdesc order by
requests desc
Dataset Name Description Log Category

webfilter-Top-Allowed-Web-Categories Webfilter top allowed web categories webfilter

select
catdesc,
sum(requests) as requests
from
(
###(select catdesc, count(*) as requests from $log-traffic where $filter and logid_
to_int(logid) not in (4, 7, 14) and utmevent in ('webfilter', 'banned-word',
'web-content', 'command-block', 'script-filter') and catdesc is not null and
utmaction!='blocked' group by catdesc order by requests desc)### union all ###
(select catdesc, count(*) as requests from $log-webfilter where $filter and
(eventtype is null or logver>=52) and catdesc is not null and action!='blocked'
group by catdesc order by requests desc)###) t group by catdesc order by
requests desc
Dataset Name Description Log Category

traffic-Top-50-Sites-By-Browsing-Time Traffic top sites by browsing time traffic

select
hostname,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select hostname, catdesc, sum($browse_time) as delta, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in,
sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) and hostname is not null group by hostname, catdesc
having sum($browse_time)>0 order by delta desc)### t group by hostname order by
browsetime desc
Dataset Name Description Log Category

traffic-Top-50-Sites-By-Browsing-Time- Traffic top sites by browsing time enhanced traffic

Enhanced

select
hostname,
string_agg(distinct catdesc, ', ') as agg_catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,

81 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select hostname, catdesc, sum($browse_time2) as delta, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in,
sum(coalesce(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int
(logid) not in (4, 7, 14) and hostname is not null group by hostname, catdesc
having sum($browse_time2)>0 order by delta desc)### t group by hostname order by
browsetime desc
Dataset Name Description Log Category

traffic-Top-10-Categories-By-Browsing- Traffic top category by browsing time traffic

Time

select
catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth
from
###(select catdesc, sum($browse_time) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter and logid_to_int(logid) not in
(4, 7, 14) and catdesc is not null group by catdesc having sum($browse_time)>0
order by delta desc)### t group by catdesc order by browsetime desc
Dataset Name Description Log Category

traffic-Top-10-Categories-By-Browsing- Traffic top category by browsing time enhanced traffic

Time-Enhanced

select
catdesc,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth
from
###(select catdesc, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth from $log where $filter and logid_to_int(logid) not in
(4, 7, 14) and catdesc is not null group by catdesc having sum($browse_time2)>0
order by delta desc)### t group by catdesc order by browsetime desc
Dataset Name Description Log Category

traffic-Top-Destination-Countries-By- Traffic top destination countries by browsing time traffic

Browsing-Time

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce
(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int(logid) not
in (4, 7, 14) group by dstcountry having sum($browse_time)>0 order by delta
desc)### t group by dstcountry order by browsetime desc

Dataset Reference 82
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

traffic-Top-Destination-Countries-By- Traffic top destination countries by browsing time traffic

Browsing-Time-Enhanced enhanced

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce
(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int(logid) not
in (4, 7, 14) group by dstcountry having sum($browse_time2)>0 order by delta
desc)### t group by dstcountry order by browsetime desc
Dataset Name Description Log Category

webfilter-Top-Search-Phrases Webfilter top search phrases webfilter

select
keyword,
count(*) as requests
from
$log
where
$filter
and keyword is not null
group by
keyword
order by
requests desc
Dataset Name Description Log Category

Top-10-Users-Browsing-Time Estimated browsing time traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum($browse_time) as browsetime
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum($browse_time)> 0
order by

83 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

browsetime desc
Dataset Name Description Log Category

Top-10-Users-Browsing-Time-Enhanced Estimated browsing time enhanced traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum($browse_time2) as browsetime
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum($browse_time2)> 0
order by
browsetime desc
Dataset Name Description Log Category

Estimated-Browsing-Time Estimated browsing time traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum($browse_time) as browsetime
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum($browse_time)> 0
order by
browsetime desc
Dataset Name Description Log Category

Estimated-Browsing-Time-Enhanced Estimated browsing time enhanced traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)

Dataset Reference 84
Fortinet, Inc.
Dataset Reference List Log Database Tables

) as user_src,
sum($browse_time2) as browsetime
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
user_src
having
sum($browse_time2)> 0
order by
browsetime desc
Dataset Name Description Log Category

wifi-Top-AP-By-Bandwidth Top access point by bandwidth usage traffic

select
srcintf,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
group by
srcintf
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-AP-By-Client Top access point by client traffic

select
srcintf,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and (srcssid is
not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid,
osname, osversion, devtype, srcmac order by subtotal desc)### t group by srcintf
order by totalnum desc

85 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

wifi-Top-SSID-By-Bandwidth Top SSIDs by bandwidth usage traffic

select
srcssid,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcssid is not null
group by
srcssid
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-SSID-By-Client Top SSIDs by client traffic

select
srcssid,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and (srcssid is
not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid,
osname, osversion, devtype, srcmac order by subtotal desc)### t where srcssid is
not null group by srcssid order by totalnum desc
Dataset Name Description Log Category

wifi-Top-App-By-Bandwidth Top WiFi applications by bandwidth usage traffic

select
appid,
app,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null

Dataset Reference 86
Fortinet, Inc.
Dataset Reference List Log Database Tables

)
and nullifna(app) is not null
group by
appid,
app
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-Client-By-Bandwidth Top WiFi client by bandwidth usage traffic

select
(
coalesce(srcname, srcmac, 'unknown') || ' (' || coalesce(devtype, 'unknown') || ', '
|| coalesce(osname, '') || (
case when osversion is null then '' else ' ' || osversion end
) || ')'
) as client,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
group by
client
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-OS-By-Bandwidth Top WiFi os by bandwidth usage traffic

select
(
coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
) as os,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log

87 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
group by
os
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-OS-By-WiFi-Client Top WiFi os by WiFi client traffic

select
(
coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')
) as os,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and (srcssid is
not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid,
osname, osversion, devtype, srcmac order by subtotal desc)### t group by os order
by totalnum desc
Dataset Name Description Log Category

wifi-Top-Device-By-Bandwidth Top WiFi device by bandwidth usage traffic

select
devtype,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
and devtype is not null
group by
devtype
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0

Dataset Reference 88
Fortinet, Inc.
Dataset Reference List Log Database Tables

order by
bandwidth desc
Dataset Name Description Log Category

wifi-Top-Device-By-Client Top WiFi device by client traffic

select
devtype,
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and (srcssid is
not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid,
osname, osversion, devtype, srcmac order by subtotal desc)### t where devtype is
not null group by devtype order by totalnum desc
Dataset Name Description Log Category

wifi-Overall-Traffic WiFi overall traffic traffic

select
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and (
srcssid is not null
or dstssid is not null
)
Dataset Name Description Log Category

wifi-Num-Distinct-Client WiFi num distinct client traffic

select
count(distinct srcmac) as totalnum
from
###(select srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) as subtotal
from $log where $filter and logid_to_int(logid) not in (4, 7, 14) and (srcssid is
not null or dstssid is not null) and srcmac is not null group by srcintf, srcssid,
osname, osversion, devtype, srcmac order by subtotal desc)### t
Dataset Name Description Log Category

Top30-Subnets-by-Bandwidth-and-Ses- Top subnets by application bandwidth traffic

sions

select
ip_subnet(`srcip`) as subnet,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,

89 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
subnet
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top30-Subnets-by-Application-Band- Top applications by bandwidth traffic

width

select
ip_subnet(`srcip`) as subnet,
app_group_name(app) as app_group,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
subnet,
app_group
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top30-Subnets-by-Application-Sessions Top applications by sessions traffic

select
ip_subnet(`srcip`) as subnet,
app_group_name(app) as app_group,
count(*) as sessions
from

Dataset Reference 90
Fortinet, Inc.
Dataset Reference List Log Database Tables

$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
subnet,
app_group
order by
sessions desc
Dataset Name Description Log Category

Top30-Subnets-by-Website-Bandwidth Top websites and web category by bandwidth traffic

select
subnet,
website,
sum(bandwidth) as bandwidth
from
###(select ip_subnet(`srcip`) as subnet, hostname as website, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname
is not null and logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and
countweb>0) or ((logver is null) and utmevent in ('webfilter', 'banned-word', 'web-
content', 'command-block', 'script-filter'))) group by subnet, website order by
bandwidth desc)### t group by subnet, website order by bandwidth desc
Dataset Name Description Log Category

Top30-Subnets-by-Website-Hits Top websites and web category by sessions traffic

select
subnet,
website,
sum(hits) as hits
from
(
###(select ip_subnet(`srcip`) as subnet, hostname as website, count(*) as hits from
$log-traffic where $filter and hostname is not null and logid_to_int(logid) not
in (4, 7, 14) and utmevent in ('webfilter', 'banned-word', 'web-content',
'command-block', 'script-filter') group by subnet, website order by hits
desc)### union all ###(select ip_subnet(`srcip`) as subnet, hostname as website,
count(*) as hits from $log-webfilter where $filter and hostname is not null and
(eventtype is null or logver>=52) group by subnet, website order by hits
desc)###) t group by subnet, website order by hits desc
Dataset Name Description Log Category

Top30-Subnets-with-Top10-User-by-Band- Top users by bandwidth traffic

width

select
ip_subnet(`srcip`) as subnet,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,

91 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcip is not null
group by
subnet,
user_src
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

Top30-Subnets-with-Top10-User-by-Ses- Top users by sessions traffic

sions

select
ip_subnet(`srcip`) as subnet,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
subnet,
user_src
order by
sessions desc
Dataset Name Description Log Category

app-Top-20-Category-and-Applications- Top category and applications by bandwidth usage traffic

by-Bandwidth

select
appcat,
app,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where

Dataset Reference 92
Fortinet, Inc.
Dataset Reference List Log Database Tables

$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
appcat,
app
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

app-Top-20-Category-and-Applications- Top category and applications by session traffic

by-Session

select
appcat,
app,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
appcat,
app
order by
sessions desc
Dataset Name Description Log Category

app-Top-500-Allowed-Applications-by- Top allowed applications by bandwidth usage traffic

Bandwidth

select
from_itime(itime) as timestamp,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
appcat,
app,
coalesce(
root_domain(hostname),
ipstr(dstip)
) as destination,
sum(
coalesce(`sentbyte`, 0)+ coalesce(`rcvdbyte`, 0)
) as bandwidth
from
$log
where
$filter

93 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

and logid_to_int(logid) not in (4, 7, 14)

and action in ('accept', 'close', 'timeout')
group by
timestamp,
user_src,
appcat,
app,
destination
order by
bandwidth desc
Dataset Name Description Log Category

app-Top-500-Blocked-Applications-by- Top blocked applications by session traffic

Session

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
appcat,
app,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and action in (
'deny', 'blocked', 'reset', 'dropped'
)
group by
user_src,
appcat,
app
order by
sessions desc
Dataset Name Description Log Category

web-Detailed-Website-Browsing-Log Web detailed website browsing log traffic

select
from_dtime(dtime) as timestamp,
catdesc,
hostname as website,
action as status,
sum(bandwidth) as bandwidth
from
###(select dtime, catdesc, hostname, utmaction as action, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter and hostname
is not null and logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and
countweb>0) or ((logver is null) and utmevent in ('webfilter', 'banned-word', 'web-
content', 'command-block', 'script-filter'))) group by dtime, catdesc, hostname,

Dataset Reference 94
Fortinet, Inc.
Dataset Reference List Log Database Tables

utmaction order by dtime desc)### t group by dtime, catdesc, website, status order
by dtime desc
Dataset Name Description Log Category

web-Hourly-Category-and-Website-Hits- Web hourly category and website hits action traffic

Action

select
hod,
website,
sum(hits) as hits
from
(
###(select $hour_of_day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown')
|| ')') as website, count(*) as hits from $log-traffic where $filter and
hostname is not null and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
group by hod, website order by hod, hits desc)### union all ###(select $hour_of_
day as hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') as
website , count(*) as hits from $log-webfilter where $filter and hostname is not
null and (eventtype is null or logver>=52) group by hod, website order by hod,
hits desc)###) t group by hod, website order by hod, hits desc
Dataset Name Description Log Category

web-Top-20-Category-and-Websites- Web top category and websites by bandwidth usage traffic

by-Bandwidth

select
website,
catdesc,
sum(bandwidth) as bandwidth
from
###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log-traffic where $filter and hostname is not null and
logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0) or ((logver
is null) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-
block', 'script-filter'))) group by website, catdesc order by bandwidth desc)### t
group by website, catdesc order by bandwidth desc
Dataset Name Description Log Category

web-Top-20-Category-and-Websites-by- Web top category and websites by session traffic

Session

select
website,
catdesc,
sum(hits) as hits
from
(
###(select hostname as website, catdesc, count(*) as hits from $log-traffic where
$filter and hostname is not null and logid_to_int(logid) not in (4, 7, 14) and
utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter') group by website, catdesc order by hits desc)### union all ###
(select hostname as website, catdesc, count(*) as hits from $log-webfilter where
$filter and hostname is not null and (eventtype is null or logver>=52) group by

95 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

website, catdesc order by hits desc)###) t group by website, catdesc order by

hits desc
Dataset Name Description Log Category

web-Top-500-Website-Sessions-by- Web top website sessions by bandwidth usage traffic

Bandwidth

select
from_dtime(dtime) as timestamp,
user_src,
website,
catdesc,
cast(
sum(dura)/ 60 as decimal(18, 2)
) as dura,
sum(bandwidth) as bandwidth
from
###(select dtime, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, hostname as website, catdesc, sum(coalesce(duration, 0)) as dura, sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter
and hostname is not null and logid_to_int(logid) not in (4, 7, 14) and action in
('accept','close','timeout') group by dtime, user_src, website, catdesc having sum
(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group
by dtime, user_src, website, catdesc order by bandwidth desc
Dataset Name Description Log Category

web-Top-500-User-Visted-Websites-by- Web top user visted websites by bandwidth usage traffic

Bandwidth

select
website,
catdesc,
sum(bandwidth) as bandwidth
from
###(select hostname as website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log-traffic where $filter and hostname is not null and
logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0) or ((logver
is null) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-
block', 'script-filter'))) group by hostname, catdesc having sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0))>0 order by bandwidth desc)### t group by website, catdesc
order by bandwidth desc
Dataset Name Description Log Category

web-Top-500-User-Visted-Websites-by- Web top user visted websites by session traffic

Session

select
website,
catdesc,
sum(sessions) as sessions
from
(
###(select hostname as website, catdesc, count(*) as sessions from $log-traffic
where $filter and hostname is not null and logid_to_int(logid) not in (4, 7, 14)
and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',

Dataset Reference 96
Fortinet, Inc.
Dataset Reference List Log Database Tables

'script-filter') group by hostname, catdesc order by sessions desc)### union all

###(select hostname as website, catdesc, count(*) as sessions from $log-
webfilter where $filter and hostname is not null and (eventtype is null or
logver>=52) group by hostname, catdesc order by sessions desc)###) t group by
website, catdesc order by sessions desc
Dataset Name Description Log Category

fct-Installed-Feature-Summary Installed Feature Summary fct-event

select
clientfeature,
count(*) as totalnum
from
$log
where
$filter
and clientfeature is not null
group by
clientfeature
order by
totalnum desc
Dataset Name Description Log Category

fct-Device-by-Operating-System Device by OS fct-event

select
os,
count(*) as totalnum
from
$log
where
$filter
and os is not null
group by
os
order by
totalnum desc
Dataset Name Description Log Category

fct-Installed-FortiClient-Version FortiClient Version fct-event

select
fctver_trim(fctver) as fctver_short,
count(*) as totalnum
from
$log
where
$filter
and fctver is not null
group by
fctver_short
order by
totalnum desc

97 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

fct-Endpoint-Profile-Deployment Endpoint Profile Deployment fct-event

select
coalesce(
nullifna(usingpolicy),
'Unknown'
) as profile,
count(*) as totalnum
from
$log
where
$filter
group by
profile
order by
totalnum desc
Dataset Name Description Log Category

fct-Client-Summary Client Summary fct-event

select
hostname,
deviceip,
os,
profile,
hostuser,
fctver_short
from
###(select hostname, deviceip, os, coalesce(nullifna(usingpolicy), 'Unknown') as
profile, coalesce(nullifna(`user`), 'Unknown') as hostuser, fctver_trim(fctver) as
fctver_short from $log where $filter and os is not null group by hostname,
deviceip, os, profile, hostuser, fctver_short)### t group by hostname, deviceip,
os, profile, hostuser, fctver_short
Dataset Name Description Log Category

fct-Total-Threats-Found Total Threats Found fct-traffic

select
coalesce(
nullifna(utmevent),
'Unknown'
) as utmevent,
count(*) as totalnum
from
$log
where
$filter
group by
utmevent
order by
totalnum desc

Dataset Reference 98
Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

fct-Top10-AV-Threats-Detected Top AV Threats Detected fct-traffic

select
srcname,
count(*) as totalnum
from
$log
where
$filter
and srcname is not null
and lower(utmevent)= 'antivirus'
group by
srcname
order by
totalnum desc
Dataset Name Description Log Category

fct-Top10-Infected-Devices-with-Botnet Top Infected Devices with Botnet fct-traffic

select
hostname,
count(*) as totalnum
from
$log
where
$filter
and hostname is not null
and lower(utmevent) in ('webfilter', 'appfirewall')
and lower(threat) like '%botnet%'
group by
hostname
order by
totalnum desc
Dataset Name Description Log Category

fct-Top10-Infected-Devices-with-Virus- Top Infected Devices with Virus Malware fct-traffic

Malware

select
hostname,
count(*) as totalnum
from
$log
where
$filter
and hostname is not null
and lower(utmevent) in ('antivirus', 'antimalware')
group by
hostname
order by
totalnum desc

99 Dataset Reference
Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

fct-All-Antivirus-Antimalware-Detections All Antivirus and Antimalware Detections fct-traffic

select
srcname,
hostname,
coalesce(
nullifna(`user`),
'Unknown'
) as hostuser,
utmaction
from
$log
where
$filter
and lower(utmevent) in ('antivirus', 'antimalware')
group by
srcname,
hostname,
hostuser,
utmaction
Dataset Name Description Log Category

fct-Web-Filter-Violations Web Filter Violations fct-traffic

select
remotename,
hostname,
coalesce(
nullifna(`user`),
'Unknown'
) as hostuser,
utmaction,
count(*) as totalnum
from
$log
where
$filter
and lower(utmevent)= 'webfilter'
group by
remotename,
hostname,
hostuser,
utmaction
Dataset Name Description Log Category

fct-Application-Firewall Application Firewall fct-traffic

select
srcname,
hostname,
coalesce(
nullifna(`user`),

Dataset Reference 100

Fortinet, Inc.
Dataset Reference List Log Database Tables

'Unknown'
) as hostuser,
utmaction
from
$log
where
$filter
and lower(utmevent)= 'appfirewall'
group by
srcname,
hostname,
hostuser,
utmaction
Dataset Name Description Log Category

fct-Errors-and-Alerts Errors and Alerts fct-event

select
msg,
hostname,
coalesce(
nullifna(`user`),
'Unknown'
) as hostuser
from
$log
where
$filter
and level in ('error', 'alert')
group by
msg,
hostname,
hostuser
Dataset Name Description Log Category

fct-Threats-by-Top-Devices Threats by Top Devices fct-traffic

select
hostname,
count(*) as totalnum
from
$log
where
$filter
and hostname is not null
and utmevent is not null
group by
hostname
order by
totalnum desc
Dataset Name Description Log Category

os-Detect-OS-Count Detected operation system count traffic

101 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

select
(
coalesce(osname, 'Unknown')
) as os,
count(*) as totalnum
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
os
order by
totalnum desc
Dataset Name Description Log Category

drilldown-Top-App-By-Sessions-Table Drilldown top applications by session count traffic

select
appid,
app,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and nullifna(app) is not null group by appid, app order by
sessions desc
Dataset Name Description Log Category

drilldown-Top-App-By-Sessions-Bar Drilldown top applications by session count traffic

select
appid,
app,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and nullifna(app) is not null group by appid, app order by
sessions desc
Dataset Name Description Log Category

drilldown-Top-App-By-Bandwidth-Table Drilldown top applications by bandwidth usage traffic

select
appid,
app,
sum(bandwidth) as bandwidth
from

Dataset Reference 102

Fortinet, Inc.
Dataset Reference List Log Database Tables

###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr

(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and nullifna(app) is not null group by appid, app having sum
(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

drilldown-Top-App-By-Bandwidth-Bar Drilldown top applications by bandwidth usage traffic

select
appid,
app,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and nullifna(app) is not null group by appid, app having sum
(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

drilldown-Top-Destination-By-Sessions- Drilldown top destination by session count traffic

Table

select
dstip,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and dstip is not null group by dstip order by sessions desc
Dataset Name Description Log Category

drilldown-Top-Destination-By-Band- Drilldown top destination by bandwidth usage traffic

width-Table

select
dstip,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and dstip is not null group by dstip having sum(bandwidth)>0
order by bandwidth desc

103 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

drilldown-Top-User-By-Sessions-Table Drilldown top user by session count traffic

select
user_src,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and user_src is not null group by user_src order by sessions desc
Dataset Name Description Log Category

drilldown-Top-User-By-Sessions-Bar Drilldown top user by session count traffic

select
user_src,
sum(sessions) as sessions
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and user_src is not null group by user_src order by sessions desc
Dataset Name Description Log Category

drilldown-Top-User-By-Bandwidth-Table Drilldown top user by bandwidth usage traffic

select
user_src,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where
$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,
user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and user_src is not null group by user_src having sum
(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

drilldown-Top-User-By-Bandwidth-Bar Drilldown top user by bandwidth usage traffic

select
user_src,
sum(bandwidth) as bandwidth
from
###(select appid, app, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, srcintf, dstintf, policyid, count(*) as sessions,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where

Dataset Reference 104

Fortinet, Inc.
Dataset Reference List Log Database Tables

$filter-exclude-var and logid_to_int(logid) not in (4, 7, 14) group by appid, app,

user_src, dstip, srcintf, dstintf, policyid order by sessions desc)### t where
$filter-drilldown and user_src is not null group by user_src having sum
(bandwidth)>0 order by bandwidth desc
Dataset Name Description Log Category

drilldown-Top-Web-User-By-Visit-Table Drilldown top web user by visit traffic

select
user_src,
sum(requests) as visits
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, hostname, count(*) as requests from $log-traffic where $filter-
exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver>=52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-drilldown and user_src is
not null group by user_src order by visits desc
Dataset Name Description Log Category

drilldown-Top-Web-User-By-Visit-Bar Drilldown top web user by visit traffic

select
user_src,
sum(requests) as visits
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, hostname, count(*) as requests from $log-traffic where $filter-
exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver>=52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-drilldown and user_src is
not null group by user_src order by visits desc
Dataset Name Description Log Category

drilldown-Top-Website-By-Request- Drilldown top website by request traffic

Table

select
hostname,
sum(requests) as visits
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, hostname, count(*) as requests from $log-traffic where $filter-
exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in

105 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')

and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver>=52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-drilldown and hostname is
not null group by hostname order by visits desc
Dataset Name Description Log Category

drilldown-Top-Website-By-Request-Bar Drilldown top website by request traffic

select
hostname,
sum(requests) as visits
from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, hostname, count(*) as requests from $log-traffic where $filter-
exclude-var and logid_to_int(logid) not in (4, 7, 14) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter')
and hostname is not null group by user_src, hostname order by requests desc)###
union all ###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
hostname, count(*) as requests from $log-webfilter where $filter-exclude-var and
(eventtype is null or logver>=52) and hostname is not null group by user_src,
hostname order by requests desc)###) t where $filter-drilldown and hostname is
not null group by hostname order by visits desc
Dataset Name Description Log Category

drilldown-Top-Email-Sender-By-Volume Drilldown top email sender by volume traffic

select
sender,
sum(bandwidth) as volume
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-
emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-drilldown and sender is not
null group by sender having sum(bandwidth)>0 order by volume desc
Dataset Name Description Log Category

drilldown-Top-Email-Send-Recipient-By- Drilldown top email send recipient by volume traffic

Volume

select
recipient,
sum(bandwidth) as volume
from

Dataset Reference 106

Fortinet, Inc.
Dataset Reference List Log Database Tables

(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-
emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-drilldown and recipient is not
null group by recipient having sum(bandwidth)>0 order by volume desc
Dataset Name Description Log Category

drilldown-Top-Email-Sender-By-Count Drilldown top email sender by count traffic

select
sender,
sum(requests) as requests
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-
emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-drilldown and sender is not
null group by sender order by requests desc
Dataset Name Description Log Category

drilldown-Top-Email-Send-Recipient-By- Drilldown top email send recipient by count traffic

Count

select
recipient,
sum(requests) as requests
from
(
###(select sender, recipient, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-traffic where $filter-exclude-
var and logid_to_int(logid) not in (4, 7, 14) and service in ('smtp', 'SMTP',
'25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') and utmevent in ('general-
email-log', 'spamfilter') group by sender, recipient order by requests desc)###
union all ###(select `from` as sender, `to` as recipient, count(*) as requests,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-
emailfilter where $filter-exclude-var and service in ('smtp', 'SMTP', '25/tcp',
'587/tcp', 'smtps', 'SMTPS', '465/tcp') and eventtype is null group by `from`,
`to` order by requests desc)###) t where $filter-drilldown and recipient is not
null group by recipient order by requests desc

107 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

drilldown-Top-Email-Recipient-By- Drilldown top email receiver by volume traffic

Volume

select
recipient,
sum(bandwidth) as volume
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by
recipient, sender order by requests desc)### union all ###(select `to` as
recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-
exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP',
'143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and
eventtype is null group by `to`, `from` order by requests desc)###) t where
$filter-drilldown and recipient is not null group by recipient having sum
(bandwidth)>0 order by volume desc
Dataset Name Description Log Category

drilldown-Top-Email-Receive-Sender- Drilldown top email receive sender by volume traffic

By-Volume

select
sender,
sum(bandwidth) as volume
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by
recipient, sender order by requests desc)### union all ###(select `to` as
recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-
exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP',
'143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and
eventtype is null group by `to`, `from` order by requests desc)###) t where
$filter-drilldown and sender is not null group by sender having sum(bandwidth)>0
order by volume desc
Dataset Name Description Log Category

drilldown-Top-Email-Recipient-By- Drilldown top email receiver by count traffic

Count

select
recipient,
sum(requests) as requests
from

Dataset Reference 108

Fortinet, Inc.
Dataset Reference List Log Database Tables

(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by
recipient, sender order by requests desc)### union all ###(select `to` as
recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-
exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP',
'143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and
eventtype is null group by `to`, `from` order by requests desc)###) t where
$filter-drilldown and recipient is not null group by recipient order by requests
desc
Dataset Name Description Log Category

drilldown-Top-Email-Receive-Sender- Drilldown top email receive sender by count traffic

By-Count

select
sender,
sum(requests) as requests
from
(
###(select recipient, sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log where $filter-exclude-var and
logid_to_int(logid) not in (4, 7, 14) and service in ('pop3', 'POP3', '110/tcp',
'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S',
'995/tcp') and utmevent in ('general-email-log', 'spamfilter') group by
recipient, sender order by requests desc)### union all ###(select `to` as
recipient, `from` as sender, count(*) as requests, sum(coalesce(sentbyte,
0)+coalesce(rcvdbyte, 0)) as bandwidth from $log-emailfilter where $filter-
exclude-var and service in ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP',
'143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') and
eventtype is null group by `to`, `from` order by requests desc)###) t where
$filter-drilldown and sender is not null group by sender order by requests desc
Dataset Name Description Log Category

drilldown-Top-Attack-Destination Drilldown top attack dest attack

select
dstip,
sum(totalnum) as totalnum
from
###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group
by srcip, dstip order by totalnum desc)### t where $filter-drilldown and dstip is
not null group by dstip order by totalnum desc
Dataset Name Description Log Category

drilldown-Top-Attack-Source Drilldown top attack source attack

select
srcip,
sum(totalnum) as totalnum
from

109 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

###(select srcip, dstip, count(*) as totalnum from $log where $filter-exclude-var group
by srcip, dstip order by totalnum desc)### t where $filter-drilldown and srcip is
not null group by srcip order by totalnum desc
Dataset Name Description Log Category

drilldown-Top-Attack-List Drilldown top attack list attack

select
from_itime(itime) as timestamp,
attack,
srcip,
dstip
from
###(select itime, attack, srcip, dstip from $log where $filter-exclude-var order by
itime desc)### t where $filter-drilldown order by itime desc
Dataset Name Description Log Category

drilldown-Top-Virus UTM top virus traffic

select
virus,
(
case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then
'Adware' else 'Virus' end
) as malware_type,
sum(totalnum) as totalnum
from
(
###(select virus, count(*) as totalnum from $log-traffic where $filter and logid_to_
int(logid) not in (4, 7, 14) and utmevent is not null and virus is not null
group by virus order by totalnum desc)### union all ###(select virus, count(*)
as totalnum from $log-virus where $filter and (eventtype is null or logver>=52)
and nullifna(virus) is not null group by virus order by totalnum desc)###) t
group by virus, malware_type order by totalnum desc
Dataset Name Description Log Category

drilldown-Virus-Detail Drilldown virus detail traffic

select
from_itime(itime) as timestamp,
virus,
user_src,
dstip,
hostname,
recipient
from
(
###(select itime, virus, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as user_src, dstip, hostname, recipient from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and
virus is not null order by itime desc)### union all ###(select itime, virus,
coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, dstip, cast(' ' as char)
as hostname, cast(' ' as char) as recipient from $log-virus where $filter and
(eventtype is null or logver>=52) and nullifna(virus) is not null order by itime
desc)###) t where $filter-drilldown order by itime desc

Dataset Reference 110

Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

user-drilldown-Top-Blocked-Web-Sites- User drilldown top blocked web sites by requests webfilter

By-Requests

select
hostname,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action,
count(*) as requests from $log where $filter and hostname is not null group by
user_src, hostname, action order by requests desc)### t where $filter-drilldown and
action='blocked' group by hostname order by requests desc
Dataset Name Description Log Category

user-drilldown-Top-Allowed-Web-Sites- User drilldown top allowed web sites by requests webfilter

By-Requests

select
hostname,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, hostname, action,
count(*) as requests from $log where $filter and hostname is not null group by
user_src, hostname, action order by requests desc)### t where $filter-drilldown and
action!='blocked' group by hostname order by requests desc
Dataset Name Description Log Category

user-drilldown-Top-Blocked-Web-Cat- User drilldown top blocked web categories webfilter

egories

select
catdesc,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action,
count(*) as requests from $log where $filter and catdesc is not null group by user_
src, catdesc, action order by requests desc)### t where $filter-drilldown and
action='blocked' group by catdesc order by requests desc
Dataset Name Description Log Category

user-drilldown-Top-Allowed-Web-Cat- User drilldown top allowed web categories webfilter

egories

select
catdesc,
sum(requests) as requests
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, catdesc, action,
count(*) as requests from $log where $filter and catdesc is not null group by user_
src, catdesc, action order by requests desc)### t where $filter-drilldown and
action!='blocked' group by catdesc order by requests desc

111 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

user-drilldown-Top-Attacks User drilldown top attacks by name attack

select
attack,
sum(attack_count) as attack_count
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when
severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as
attack_count from $log where $filter and nullifna(attack) is not null group by
user_src, attack, high_severity order by attack_count desc)### t where $filter-
drilldown group by attack order by attack_count desc
Dataset Name Description Log Category

user-drilldown-Top-Attacks-High-Sever- User drilldown top attacks high severity attack

ity

select
attack,
sum(attack_count) as attack_count
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, attack, (case when
severity in ('critical', 'high') then 1 else 0 end) as high_severity, count(*) as
attack_count from $log where $filter and nullifna(attack) is not null group by
user_src, attack, high_severity order by attack_count desc)### t where $filter-
drilldown and high_severity=1 group by attack order by attack_count desc
Dataset Name Description Log Category

user-drilldown-Top-Virus-By-Name User drilldown top virus virus

select
virus,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, virus, count(*) as
totalnum from $log where $filter and nullifna(virus) is not null group by user_src,
virus order by totalnum desc)### t where $filter-drilldown group by virus order by
totalnum desc
Dataset Name Description Log Category

user-drilldown-Top-Virus-Receivers- User drilldown top virus receivers over email virus

Over-Email

select
receiver,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `to` as receiver,
count(*) as totalnum from $log where $filter and subtype='infected' and (service in
('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') or service in
('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp',
'pop3s', 'POP3S', '995/tcp')) and nullifna(virus) is not null group by user_src,

Dataset Reference 112

Fortinet, Inc.
Dataset Reference List Log Database Tables

receiver order by totalnum desc)### t where $filter-drilldown group by receiver

order by totalnum desc
Dataset Name Description Log Category

user-drilldown-Count-Spam-Activity-by- User drilldown count spam activity by hour of day emailfilter

Hour-of-Day

select
hourstamp,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, $hour_of_day as
hourstamp, count(*) as totalnum from $log where $filter and `to` is not null and
action in ('detected', 'blocked') group by user_src, hourstamp order by
hourstamp)### t where $filter-drilldown group by hourstamp order by hourstamp
Dataset Name Description Log Category

user-drilldown-Top-Spam-Sources User drilldown top spam sources emailfilter

select
mf_sender,
sum(totalnum) as totalnum
from
###(select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src, `from` as mf_sender,
count(*) as totalnum from $log where $filter and `from` is not null and action in
('detected', 'blocked') group by user_src, mf_sender order by totalnum desc)### t
where $filter-drilldown group by mf_sender order by totalnum desc
Dataset Name Description Log Category

event-Usage-CPU Event usage CPU event

select
hourstamp,
cast(
sum(cpu_usage)/ sum(num) as decimal(6, 2)
) as cpu_avg_usage
from
###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, count(*) as num from $log
where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t
group by hourstamp order by hourstamp
Dataset Name Description Log Category

event-Usage-Memory Event usage memory event

select
hourstamp,
cast(
sum(mem_usage)/ sum(num) as decimal(6, 2)
) as mem_avg_usage
from
###(select $hour_of_day as hourstamp, sum(mem) as mem_usage, count(*) as num from $log
where $filter and subtype='system' and action='perf-stats' group by hourstamp)### t
group by hourstamp order by hourstamp

113 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

event-Usage-Sessions Event usage sessions event

select
hourstamp,
cast(
sum(sess_usage)/ sum(num) as decimal(10, 2)
) as sess_avg_usage
from
###(select $hour_of_day as hourstamp, sum(totalsession) as sess_usage, count(*) as num
from $log where $filter and subtype='system' and action='perf-stats' group by
hourstamp)### t group by hourstamp order by hourstamp
Dataset Name Description Log Category

event-Usage-CPU-Sessions Event usage CPU sessions event

select
hourstamp,
cast(
sum(sess_usage)/ sum(num) as decimal(10, 2)
) as sess_avg_usage,
cast(
sum(cpu_usage)/ sum(num) as decimal(6, 2)
) as cpu_avg_usage
from
###(select $hour_of_day as hourstamp, sum(cpu) as cpu_usage, sum(totalsession) as sess_
usage, count(*) as num from $log where $filter and subtype='system' and
action='perf-stats' group by hourstamp)### t group by hourstamp order by hourstamp
Dataset Name Description Log Category

App-Risk-Top-Users-By-Bandwidth Top users by bandwidth usage traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
srcip,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)

Dataset Reference 114

Fortinet, Inc.
Dataset Reference List Log Database Tables

and srcip is not null

group by
user_src,
srcip
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

App-Risk-Top-User-Source-By-Ses- Application risk top user source by session count traffic

sions

select
srcip,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as sessions
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and srcip is not null
group by
srcip,
user_src
order by
sessions desc
Dataset Name Description Log Category

App-Risk-Top-Users-By-Reputation- Application risk reputation top users by scores traffic

Scores-Bar

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
user_src
having

115 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(crscore % 65536)> 0
order by
scores desc
Dataset Name Description Log Category

App-Risk-Top-Devices-By-Reputation- Application risk reputation top devices by scores traffic

Scores

select
devtype,
coalesce(
nullifna(`srcname`),
nullifna(`srcmac`),
ipstr(`srcip`)
) as dev_src,
sum(crscore % 65536) as scores
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and crscore is not null
group by
devtype,
dev_src
having
sum(crscore % 65536)> 0
order by
scores desc
Dataset Name Description Log Category

App-Risk-Application-Usage-By-Cat- Application risk application usage by category traffic

egory-With-Pie

select
appcat,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(appcat) is not null
group by
appcat
order by
bandwidth desc
Dataset Name Description Log Category

App-Risk-App-Usage-by-Category Application risk application usage by category traffic

select

Dataset Reference 116

Fortinet, Inc.
Dataset Reference List Log Database Tables

appcat,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(appcat) is not null
group by
appcat
order by
bandwidth desc
Dataset Name Description Log Category

Top-20-Categories-By-Bandwidth Webfilter categories by bandwidth usage webfilter

select
catdesc,
sum(bandwidth) as bandwidth
from
###(select catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth from
$log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and
((logver>=52 and countweb>0) or ((logver is null) and utmevent in ('webfilter',
'banned-word', 'web-content', 'command-block', 'script-filter'))) and catdesc is
not null group by catdesc order by bandwidth desc)### t group by catdesc order by
bandwidth desc
Dataset Name Description Log Category

App-Risk-Key-Applications-Crossing-The- Application risk application activity traffic

Network

select
app_group_name(app) as app_group,
appcat,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
count(*) as num_session
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
group by
app_group,
appcat
order by
bandwidth desc

117 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

App-Risk-Applications-Running-Over- Application risk applications running over HTTP traffic

HTTP

select
app_group_name(app) as app_group,
service,
count(*) as sessions,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
and service in (
'80/tcp', '443/tcp', 'HTTP', 'HTTPS',
'http', 'https'
)
group by
app_group,
service
having
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
)> 0
order by
bandwidth desc
Dataset Name Description Log Category

App-Risk-Top-Web-Sites-Visited-By-Net- Application risk web browsing summary category traffic

work-Users-Pie-Cha

select
catdesc,
sum(num_sess) as num_sess,
sum(bandwidth) as bandwidth
from
###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log-traffic where $filter and logid_to_int(logid) not in (4,
7, 14) and ((logver>=52 and countweb>0) or ((logver is null) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter'))) and
catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc
order by num_sess desc
Dataset Name Description Log Category

App-Risk-Top-Web-Sites-Visited-By-Net- Application risk web browsing summary category traffic

work-Users

select
catdesc,

Dataset Reference 118

Fortinet, Inc.
Dataset Reference List Log Database Tables

sum(num_sess) as num_sess,
sum(bandwidth) as bandwidth
from
###(select catdesc, count(*) as num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth from $log-traffic where $filter and logid_to_int(logid) not in (4,
7, 14) and ((logver>=52 and countweb>0) or ((logver is null) and utmevent in
('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter'))) and
catdesc is not null group by catdesc order by num_sess desc)### t group by catdesc
order by num_sess desc
Dataset Name Description Log Category

App-Risk-Web-Browsing-Hostname- Application risk web browsing activity hostname cat- traffic

Category egory

select
domain,
catdesc,
sum(visits) as visits
from
(
###(select coalesce(nullifna(hostname), ipstr(`dstip`)) as domain, catdesc, count(*)
as visits from $log-traffic where $filter and logid_to_int(logid) not in (4, 7,
14) and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter') and catdesc is not null group by domain, catdesc order by
visits desc)### union all ###(select coalesce(nullifna(hostname), ipstr
(`dstip`)) as domain, catdesc, count(*) as visits from $log-webfilter where
$filter and (eventtype is null or logver>=52) and catdesc is not null group by
domain, catdesc order by visits desc)###) t group by domain, catdesc order by
visits desc
Dataset Name Description Log Category

Top-Destination-Countries-By-Brows- Traffic top destination countries by browsing time traffic

ing-Time

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,
sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce
(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int(logid) not
in (4, 7, 14) group by dstcountry having sum($browse_time)>0 order by delta
desc)### t group by dstcountry order by browsetime desc
Dataset Name Description Log Category

Top-Destination-Countries-By-Brows- Traffic top destination countries by browsing time traffic

ing-Time-Enhanced enhanced

select
dstcountry,
sum(delta) as browsetime,
sum(bandwidth) as bandwidth,

119 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

sum(traffic_in) as traffic_in,
sum(traffic_out) as traffic_out
from
###(select dstcountry, sum($browse_time2) as delta, sum(coalesce(sentbyte, 0)+coalesce
(rcvdbyte, 0)) as bandwidth, sum(coalesce(rcvdbyte, 0)) as traffic_in, sum(coalesce
(sentbyte, 0)) as traffic_out from $log where $filter and logid_to_int(logid) not
in (4, 7, 14) group by dstcountry having sum($browse_time2)>0 order by delta
desc)### t group by dstcountry order by browsetime desc
Dataset Name Description Log Category

App-Risk-Traffic-Top-Hostnames-By- Traffic top domains by browsing time traffic

Browsing-Time

select
hostname,
sum($browse_time) as browsetime,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and hostname is not null
group by
hostname
having
sum($browse_time)> 0
order by
browsetime desc
Dataset Name Description Log Category

App-Risk-Traffic-Top-Hostnames-By- Traffic top domains by browsing time enhanced traffic

Browsing-Time-Enhanced

select
hostname,
sum($browse_time2) as browsetime,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
sum(
coalesce(rcvdbyte, 0)
) as traffic_in,
sum(
coalesce(sentbyte, 0)
) as traffic_out
from

Dataset Reference 120

Fortinet, Inc.
Dataset Reference List Log Database Tables

$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and hostname is not null
group by
hostname
having
sum($browse_time2)> 0
order by
browsetime desc
Dataset Name Description Log Category

App-Risk-Top-Threat-Vectors-Crossing- Application risk top threat vectors attack

The-Network

select
severity,
count(*) as totalnum
from
$log
where
$filter
group by
severity
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Critical-Threat-Vectors- Application risk top critical threat vectors attack

Crossing-The-Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'critical'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-High-Threat-Vectors-Cross- Application risk top high threat vectors attack

ing-The-Network

121 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'high'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Medium-Threat-Vectors- Application risk top medium threat vectors attack

Crossing-The-Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'medium'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Low-Threat-Vectors-Cross- Application risk top low threat vectors attack

ing-The-Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'low'
and nullifna(attack) is not null

Dataset Reference 122

Fortinet, Inc.
Dataset Reference List Log Database Tables

group by
attack,
severity,
ref
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Info-Threat-Vectors-Cross- Application risk top info threat vectors attack

ing-The-Network

select
attack,
severity,
ref,
count(*) as totalnum
from
$log
where
$filter
and severity = 'info'
and nullifna(attack) is not null
group by
attack,
severity,
ref
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Virus-By-Name UTM top virus traffic

select
virus,
(
case when virus like 'Riskware%' then 'Spyware' when virus like 'Adware%' then
'Adware' else 'Virus' end
) as malware_type,
sum(totalnum) as totalnum
from
(
###(select virus, count(*) as totalnum from $log-traffic where $filter and logid_to_
int(logid) not in (4, 7, 14) and utmevent is not null and virus is not null
group by virus order by totalnum desc)### union all ###(select virus, count(*)
as totalnum from $log-virus where $filter and (eventtype is null or logver>=52)
and nullifna(virus) is not null group by virus order by totalnum desc)###) t
group by virus, malware_type order by totalnum desc
Dataset Name Description Log Category

App-Risk-Top-Virus-Victim UTM top virus user traffic

select
user_src,
sum(totalnum) as totalnum

123 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

from
(
###(select coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`)) as
user_src, count(*) as totalnum from $log-traffic where $filter and logid_to_int
(logid) not in (4, 7, 14) and utmevent is not null and virus is not null group
by user_src order by totalnum desc)### union all ###(select coalesce(nullifna
(`user`), ipstr(`srcip`)) as user_src, count(*) as totalnum from $log-virus
where $filter and (eventtype is null or logver>=52) and nullifna(virus) is not
null group by user_src order by totalnum desc)###) t group by user_src order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Data-Loss-Prevention-Type- Application risk DLP UTM event traffic

Events

select
utmsubtype,
sum(number) as number
from
(
###(select utmsubtype, count(*) as number from $log-traffic where $filter and logid_
to_int(logid) not in (4, 7, 14) and utmevent='dlp' and utmsubtype is not null
group by utmsubtype order by number desc)### union all ###(select subtype as
utmsubtype, count(*) as number from $log-dlp where $filter and subtype is not
null group by subtype order by number desc)###) t group by utmsubtype order by
number desc
Dataset Name Description Log Category

App-Risk-Vulnerability-Discovered Application risk vulnerability discovered netscan

select
vuln,
vulnref as ref,
vulncat,
severity,
count(*) as totalnum
from
$log
where
$filter
and vuln is not null
group by
vuln,
vulnref,
vulncat,
severity
order by
totalnum desc
Dataset Name Description Log Category

App-Risk-Malware-Discovered Application risk virus discovered traffic

select
dom,
sum(totalnum) as totalnum

Dataset Reference 124

Fortinet, Inc.
Dataset Reference List Log Database Tables

from
(
###(select $DAY_OF_MONTH as dom, count(*) as totalnum from $log-traffic where
$filter and logid_to_int(logid) not in (4, 7, 14) and utmevent is not null and
virus is not null group by dom order by totalnum desc)### union all ###(select
$DAY_OF_MONTH as dom, count(*) as totalnum from $log-virus where $filter and
nullifna(virus) is not null and (eventtype is null or logver>=52) group by dom
order by totalnum desc)###) t group by dom order by totalnum desc
Dataset Name Description Log Category

App-Risk-Breakdown-Of-Risk-Applic- Application risk breakdown of risk applications traffic

ations

select
d_behavior,
count(*) as number
from
$log t1
inner join app_mdata t2 on t1.appid = t2.id
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and d_risk > 0
group by
d_behavior
order by
number desc
Dataset Name Description Log Category

App-Risk-Number-Of-Applications-By- Application risk number of applications by risk beha- traffic

Risk-Behavior vior

select
d_risk,
coalesce(
d_behavior, 'Other Applications'
) as f_behavior,
count(*) as number
from
$log t1
inner join app_mdata t2 on t1.appid = t2.id
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
d_risk,
d_behavior
order by
d_risk desc,
number desc
Dataset Name Description Log Category

App-Risk-High-Risk-Application Application risk high risk application traffic

125 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

select
d_risk,
d_behavior,
t2.id,
t2.name,
t2.app_cat,
t2.technology,
sum(
coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)
) as bandwidth,
count(*) as sessions
from
$log t1
inner join app_mdata t2 on t1.appid = t2.id
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and d_behavior is not null
group by
t2.id
order by
d_risk desc,
sessions desc
Dataset Name Description Log Category

Apprisk-Ctrl-Severe-High-Risk-Applic- Severe and high risk applications traffic

ation

select
appcat,
count(distinct app) as total_num
from
###(select appcat, app from $log where $filter and app is not null and appcat is not
null and logid_to_int(logid) not in (4, 7, 14) and apprisk in ('critical', 'high')
group by appcat, app)### t group by appcat order by total_num desc
Dataset Name Description Log Category

Apprisk-Ctrl-Threats-Prevention Threat Prevention traffic

select
threat_name,
sum(total_num) as total_num
from
(
###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, count(*) as
total_num from $log-app-ctrl where $filter and lower(appcat)='botnet')### union
all ###(select cast('Malware & Botnet C&C' as char(32)) as threat_name, count(*)
as total_num from $log-virus where $filter and nullifna(virus) is not null)###
union all ###(select cast('Malicious & Phishing Sites' as char(32)) as threat_
name, count(*) as total_num from $log-webfilter where $filter and cat in (26,
61))### union all ###(select cast('Critical & High Intrusion Attacks' as char
(32)) as threat_name, count(*) as total_num from $log-attack where $filter and
severity in ('critical', 'high'))###) t group by threat_name having sum(total_
num) > 0 order by total_num desc

Dataset Reference 126

Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

Apprisk-Ctrl-Application-Vulnerability Application vulnerabilities discovered attack

select
attack,
ref,
vuln_type,
severity_number,
count(distinct dstip) as victims,
count(distinct srcip) as sources,
sum(totalnum) as totalnum
from
###(select attack, ref, vuln_type, (case when t1.severity='critical' then 5 when
t1.severity='high' then 4 when t1.severity='medium' then 3 when t1.severity='low'
then 2 when t1.severity='info' then 1 else 0 end) as severity_number, dstip, srcip,
count(*) as totalnum from $log t1 left join ips_mdata t2 on t1.attack=t2.name where
$filter and nullifna(attack) is not null and t1.severity is not null group by
attack, ref, vuln_type, t1.severity, dstip, srcip )### t group by attack, ref,
vuln_type, severity_number order by severity_number desc, totalnum desc
Dataset Name Description Log Category

Apprisk-Ctrl-Breakdown-Of-High-Risk- Severe and high risk applications traffic

Application

select
appcat,
count(distinct app) as total_num
from
###(select appcat, app from $log where $filter and app is not null and appcat is not
null and logid_to_int(logid) not in (4, 7, 14) and apprisk in ('critical', 'high')
group by appcat, app)### t group by appcat order by total_num desc
Dataset Name Description Log Category

Apprisk-Ctrl-Top-20-High-Risk-Applic- Application risk high risk application traffic

ation

select
d_risk,
count(distinct f_user) as users,
id,
name,
app_cat,
technology,
sum(bandwidth) as bandwidth,
sum(sessions) as sessions
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when 'medium' then 3
when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk, coalesce(nullifna
(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, t2.id ,
t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth, count(*) as sessions from $log t1 inner join app_mdata t2 on
t1.appid=t2.id where $filter and apprisk in ('critical', 'high') and logid_to_int
(logid) not in (4, 7, 14) group by f_user, t2.id , t2.name, t2.app_cat,

127 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

t2.technology, apprisk)### t group by id, d_risk, name, app_cat, technology order

by d_risk desc, sessions desc
Dataset Name Description Log Category

Apprisk-Ctrl-High-Risk-Application-Beha- Application Behavioral Characteristics traffic

vioral

select
behavior,
round(
sum(total_num)* 100 / sum(
sum(total_num)
) over (),
2
) as percentage
from
###(select (case when lower(appcat)='botnet' then 'malicious' when lower
(appcat)='remote.access' then 'tunneling' when lower(appcat) in ('storage.backup',
'video/audio') then 'bandwidth-consuming' when lower(appcat)='p2p' then 'peer-to-
peer' when lower(appcat)='proxy' then 'proxy' end) as behavior, count(*) as total_
num from $log where $filter and lower(appcat) in ('botnet', 'remote.access',
'storage.backup', 'video/audio', 'p2p', 'proxy') and logid_to_int(logid) not in (4,
7, 14) and apprisk in ('critical', 'high') group by appcat)### t group by behavior
order by percentage desc
Dataset Name Description Log Category

Apprisk-Ctrl-Key-Application-Crossing- Key Application Crossing The Network traffic

The-Network

select
d_risk,
count(distinct f_user) as users,
id,
name,
app_cat,
technology,
sum(bandwidth) as bandwidth,
sum(sessions) as sessions
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when 'medium' then 3
when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk, coalesce(nullifna
(t1.`user`), nullifna(t1.`unauthuser`), ipstr(t1.`srcip`)) as f_user, t2.id,
t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte,
0)) as bandwidth, count(*) as sessions from $log t1 inner join app_mdata t2 on
t1.appid=t2.id where $filter and logid_to_int(logid) not in (4, 7, 14) group by f_
user, t2.id, t2.name, t2.app_cat, t2.technology, apprisk )### t group by id, name,
app_cat, technology, d_risk order by bandwidth desc
Dataset Name Description Log Category

Apprisk-Ctrl-Risk-Application-Usage-By- Application risk application usage by category traffic

Category-With-Pie

select
appcat,
sum(

Dataset Reference 128

Fortinet, Inc.
Dataset Reference List Log Database Tables

coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)

) as bandwidth
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(appcat) is not null
group by
appcat
order by
bandwidth desc
Dataset Name Description Log Category

Apprisk-Ctrl-Category-Breakdown-By- Category breakdown of all applications, sorted by band- traffic

Bandwidth width

select
appcat,
count(distinct appid) as app_num,
count(distinct f_user) as user_num,
sum(bandwidth) as bandwidth,
sum(num_session) as num_session
from
###(select appcat, appid, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr
(`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, count(*) as num_session from $log where $filter and logid_to_int(logid)
not in (4, 7, 14) and nullifna(appcat) is not null group by appcat, appid, f_
user)### t group by appcat order by bandwidth desc
Dataset Name Description Log Category

Apprisk-Ctrl-Top-Web-Applications-by- Top 25 Web Categories by Bandwidtih traffic

Bandwidth

select
d_risk,
id,
name,
technology,
count(distinct f_user) as user_num,
sum(bandwidth) as bandwidth,
sum(num_session) as num_session
from
###(select (case apprisk when 'low' then 1 when 'elevated' then 2 when 'medium' then 3
when 'high' then 4 when 'critical' then 5 else 0 end) as d_risk, t2.id, t2.name,
t2.technology, coalesce(nullifna(t1.`user`), nullifna(t1.`unauthuser`), ipstr
(t1.`srcip`)) as f_user, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as
bandwidth, count(*) as num_session from $log t1 inner join app_mdata t2 on
t1.appid=t2.id where $filter and logid_to_int(logid) not in (4, 7, 14) and nullifna
(app) is not null and service in ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http',
'https') group by apprisk, t2.id, t2.name, t2.technology, f_user)### t group by d_
risk, id, name, technology order by bandwidth desc

129 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Apprisk-Ctrl-Top-Web-Categories-Vis- Top 25 Web Categories Visited traffic

ited

select
catdesc,
count(distinct f_user) as user_num,
sum(sessions) as sessions,
sum(bandwidth) as bandwidth
from
###(select catdesc, coalesce(nullifna(`user`), nullifna(`unauthuser`), ipstr(`srcip`))
as f_user, count(*) as sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))
as bandwidth from $log-traffic where $filter and catdesc is not null and logid_to_
int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0) or ((logver is null)
and utmevent in ('webfilter', 'banned-word', 'web-content', 'command-block',
'script-filter'))) group by f_user, catdesc order by sessions desc)### t group by
catdesc order by sessions desc
Dataset Name Description Log Category

Apprisk-Ctrl-Common-Virus-Botnet- Common virus disvocered, the botnet communictions traffic

Spyware and the spyware/adware

select
virus_s as virus,
(
case when lower(appcat)= 'botnet' then 'Botnet C&C' else (
case when virus_s like 'Riskware%' then 'Spyware' when virus_s like 'Adware%'
then 'Adware' else 'Virus' end
) end
) as malware_type,
appid,
app,
count(distinct dstip) as victims,
count(distinct srcip) as source,
sum(total_num) as total_num
from
(
###(select app as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num
from $log-traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and
lower(appcat)='botnet' group by virus_s, appcat, appid, dstip, srcip, app order
by total_num desc)### union all ###(select unnest(string_to_array(virus, ','))
as virus_s, appcat, appid, app, dstip, srcip, count(*) as total_num from $log-
traffic where $filter and logid_to_int(logid) not in (4, 7, 14) and virus is not
null group by virus_s, appcat, appid, dstip, srcip, app order by total_num
desc)###) t group by virus, appid, app, malware_type order by total_num desc
Dataset Name Description Log Category

Apprisk-Ctrl-Zero-Day-Detected-On-Net- Zero-day malware detected on the network traffic

work

select
virus_s,
appid,
app,

Dataset Reference 130

Fortinet, Inc.
Dataset Reference List Log Database Tables

count(distinct dstip) as victims,

count(distinct srcip) as source,
sum(total_num) as total_num
from
###(select unnest(string_to_array(virus, ',')) as virus_s, appid, app, dstip, srcip,
count(*) as total_num from $log where $filter and logid_to_int(logid) not in (4, 7,
14) and virus like '%PossibleThreat.SB%' group by virus_s, dstip, srcip, appid, app
)### t where virus_s like '%PossibleThreat.SB%' group by virus_s, appid, app order
by total_num desc
Dataset Name Description Log Category

Apprisk-Ctrl-Files-Analyzed-By- Files analyzed by FortiCloud Sandbox virus

FortiCloud-Sandbox

select
$DAY_OF_MONTH as dom,
count(*) as total_num
from
$log
where
$filter
and nullifna(filename) is not null
and logid_to_int(logid)= 9233
group by
dom
order by
dom
Dataset Name Description Log Category

Apprisk-Ctrl-Malicious-Files-Detected-By- Files detected by FortiCloud Sandbox virus

FortiCloud-Sandbox

select
filename,
analyticscksum,
count(distinct dstip) as victims,
count(distinct srcip) as source
from
###(select filename, analyticscksum, dstip, srcip from $log where $filter and filename
is not null and logid_to_int(logid)=9233 and analyticscksum is not null group by
filename, analyticscksum, srcip, dstip)### t group by filename, analyticscksum
order by victims
Dataset Name Description Log Category

Apprisk-Ctrl-File-Transferred-By-Applic- File transferred by applications on the network app-ctrl

ation

select
appid,
app,
filename,
cloudaction,
filesize
from

131 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

$log
where
$filter
and filesize is not null
and clouduser is not null
and filename is not null
group by
cloudaction,
appid,
app,
filename,
filesize
order by
filesize desc
Dataset Name Description Log Category

appctrl-Top-Blocked-SCCP-Callers Appctrl top blocked SCCP callers app-ctrl

select
srcname as caller,
count(*) as totalnum
from
$log
where
$filter
and lower(appcat)= 'voip'
and app = 'sccp'
and action = 'block'
and srcname is not null
group by
caller
order by
totalnum desc
Dataset Name Description Log Category

appctrl-Top-Blocked-SIP-Callers Appctrl top blocked SIP callers app-ctrl

select
srcname as caller,
count(*) as totalnum
from
$log
where
$filter
and srcname is not null
and lower(appcat)= 'voip'
and app = 'sip'
and action = 'block'
group by
caller
order by
totalnum desc

Dataset Reference 132

Fortinet, Inc.
Dataset Reference List Log Database Tables

Dataset Name Description Log Category

content-Count-Total-SCCP-Call-Regis- Content count total SCCP call registrations by hour of content

trations-by-Hour-of-Day day

select
$hour_of_day as hourstamp,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sccp'
and kind = 'register'
group by
hourstamp
order by
hourstamp
Dataset Name Description Log Category

content-Count-Total-SCCP-Calls-Dur- Content count total SCCP calls duration by hour of content

ation-by-Hour-of-Day day

select
$hour_of_day as hourstamp,
sum(duration) as sccp_usage
from
$log
where
$filter
and proto = 'sccp'
and kind = 'call-info'
and status = 'end'
group by
hourstamp
order by
hourstamp
Dataset Name Description Log Category

content-Count-Total-SCCP-Calls-per- Content count total SCCP calls per status content

Status

select
status,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sccp'
and kind = 'call-info'
group by
status
order by

133 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

totalnum desc
Dataset Name Description Log Category

content-Count-Total-SIP-Call-Regis- Content count total SIP call registrations by hour of content

trations-by-Hour-of-Day day

select
$hour_of_day as hourstamp,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sip'
and kind = 'register'
group by
hourstamp
order by
hourstamp
Dataset Name Description Log Category

content-Count-Total-SIP-Calls-per- Content count total SIP calls per status content

Status

select
status,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sip'
and kind = 'call'
group by
status
order by
totalnum desc
Dataset Name Description Log Category

content-Dist-Total-SIP-Calls-by-Dur- Content dist total SIP calls by duration content

ation

select
(
case when duration < 60 then 'LESS_ONE_MIN' when duration < 600 then 'LESS_TEN_MIN'
when duration < 3600 then 'LESS_ONE_HOUR' when duration >= 3600 then 'MORE_ONE_
HOUR' else 'unknown' end
) as f_duration,
count(*) as totalnum
from
$log
where
$filter
and proto = 'sip'

Dataset Reference 134

Fortinet, Inc.
Dataset Reference List Log Database Tables

and kind = 'call'

and status = 'end'
group by
f_duration
order by
totalnum desc
Dataset Name Description Log Category

Botnet-Activity-By-Sources Botnet activity by sources traffic

select
app,
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and nullifna(app) is not null
group by
app,
user_src
order by
events desc
Dataset Name Description Log Category

Botnet-Infected-Hosts Botnet infected hosts traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
devtype,
coalesce(srcname, srcmac) as host_mac,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
group by
user_src,
devtype,
host_mac
order by
events desc

135 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

Dataset Name Description Log Category

Detected-Botnet Detected botnet traffic

select
app,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and nullifna(app) is not null
group by
app
order by
events desc
Dataset Name Description Log Category

Botnet-Sources Botnet sources traffic

select
dstip,
root_domain(hostname) as domain,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
and dstip is not null
group by
dstip,
domain
order by
events desc
Dataset Name Description Log Category

Botnet-Victims Botnet victims traffic

select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)

Dataset Reference 136

Fortinet, Inc.
Dataset Reference List Log Database Tables

and appcat = 'Botnet'

and srcip is not null
group by
user_src
order by
events desc
Dataset Name Description Log Category

Botnet-Timeline Botnet timeline traffic

select
$flex_timescale as hodex,
count(*) as events
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and appcat = 'Botnet'
group by
hodex
order by
hodex desc
Dataset Name Description Log Category

Application-Session-History Application session history traffic

select
$flex_timescale as hodex,
count(*) as counter
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
group by
hodex
order by
hodex
Dataset Name Description Log Category

Application-Usage-List Detailed application usage traffic

select
appid,
app,
appcat,
(
case when (
utmaction in ('block', 'blocked')
or action = 'deny'
) then 'Blocked' else 'Allowed' end
) as custaction,
sum(

137 Dataset Reference

Fortinet, Inc.
Log Database Tables Dataset Reference List

coalesce(sentbyte, 0)+ coalesce(rcvdbyte, 0)

) as bandwidth,
count(*) as num_session
from
$log
where
$filter
and logid_to_int(logid) not in (4, 7, 14)
and nullifna(app) is not null
and policyid != 0
group by
appid,
app,
appcat,
custaction
order by
bandwidth desc

Dataset Reference 138

Fortinet, Inc.
Macro Reference List
The following table lists the available predefined macros that can be used in a report layout to display the log data as
text (XML format) dynamically.

Macro Name Description Dataset Used Log Category

Application Category with Application category with the App-Sessions-By-Cat- Traffic

Highest Session Count highest session count egory

Application with Highest Band- Application with the highest band- Top-App-By-Bandwidth Traffic
width width usage

Application with Highest Session Applications with the highest ses- Top-App-By-Sessions Traffic
Count sion count

Attack with Highest Session Attack with highest session count Utm-Top-Attack- Attack
Count Source

Botnet with Highest Session Botnet with the highest session Detected-Botnet Traffic
Count count

Destination with Highest Band- Destination with the highest band- Top-Destinations-By- Traffic
width width usage Bandwidth

Destination with Highest Session Destination with the highest ses- Top-Destinations-By- Traffic
Count sion count Sessions

Highest Bandwidth Consumed Highest bandwidth consumed by App-Risk-App-Usage- Traffic

(Application) Category application category By-Category

Highest Bandwidth Consumed Highest bandwidth consumed by Top-App-By-Bandwidth Traffic

(Application) application

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Destinations-By- Traffic

(Destination) destination Bandwidth

Highest Bandwidth Consumed Highest bandwidth consumed by Top-P2P-App-By-Band- Traffic

(P2P Application) P2P application width

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Users-By-Band- Traffic

(Source) source width

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Web-Category-by- Web Filter

()Web Category) website category Bandwidth

Highest Bandwidth Consumed Highest bandwidth consumed by Top-Web-Sites-by- Web Filter

(Website) website Bandwidth

139 Dataset Reference

Fortinet, Inc.
 Macro Reference List

Macro Name Description Dataset Used Log Category

Highest Risk Application with Highest risk application with the High-Risk-Application- Traffic
Highest Bandwidth highest bandwidth usage By-Bandwidth

Highest Risk Application with Highest risk application with the High-Risk-Application- Traffic
Highest Session Count highest session count By-Sessions

Highest Session Count by Applic- Highest session count by applic- App-Sessions-By-Cat- Traffic
ation Category ation category egory

Highest Session Count by Applic- Highest session count by applic- Top-App-By-Sessions Traffic
ation ation

Highest Session Count by Attack Highest session count by attack Utm-Top-Attack- Attack
Source

Highest Session Count by Botnet Highest session count by botnet Detected-Botnet Traffic

Highest Session Count by Destin- Highest session count by des- Top-Destinations-By- Traffic
ation tination Sessions

Highest Session Count by Highest session count by highest Threat-Attacks-By- Attack

Highest Severity Attack severity attack Severity

Highest Session Count by P2P Highest session count by P2P Top-P2P-App-By-Ses- Traffic
Application application sions

Highest Session Count by Source Highest session count by source Top-User-Source-By- Traffic
Sessions

Highest Session Count by Virus Highest session count by virus Utm-Top-Virus Traffic

Highest Session Count by Web Highest session count by website Top-Web-Category-by- Web Filter
Category category Sessions

Highest Session Count by Web- Highest session count by website Top-Web-Sites-by-Ses- Web Filter
site sions

Highest Severity Attack with Highest severity attack with the Threat-Attacks-By- Attack
Highest Session Count highest session count Severity

P2P Application with Highest P2P applications with the highest Top-P2P-App-By-Band- Traffic
Bandwidth bandwidth usage width

P2P Application with Highest Ses- P2P applications with the highest Top-P2P-App-By-Ses- Traffic
sion Count session count sions

Source with Highest Bandwidth Source with the highest bandwidth Top-Users-By-Band- Traffic
usage width

Dataset Reference 140

Fortinet, Inc.
Macro Reference List

141 Dataset Reference

Fortinet, Inc.
Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.