FortiAnalyzer Dataset Reference Guide (1)

FortiAnalyzer Datasets RELEASE 5.0.8 Reference Manual Datasets v5.0.8 September 19, 2014 05-508-255078-20140919 Copyright © 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiOS®, FortiGuard®, FortiManager®, FortiAnalyzer® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Technical Documentation http://help.fortinet.com Forums https://support.fortinet.com/forum Customer Service & Support https://support.fortinet.com Training http://training.fortinet.com FortiGuard Threat Research & Response http://www.fortiguard.com License http://www.fortinet.com/doc/legal/EULA.pdf Document Feedback Email: techdocs@fortinet.com FortiAnalyzer v5.0.8 Datasets Contents Introduction 5 Overview 6 Understanding Datasets and Macros Creating Custom Datasets To create a custom dataset in the web-based manager Testing SQL Query Examples of SQL Query Errors Syntax Errors Connection Errors Examples of Custom Datasets Example 1: Distribution of applications by type in the last 24 hours GUI Procedure Example 2: Top 100 applications by bandwidth in the last 24 hours GUI Procedure Log Database Tables Dataset Reference List Macro Reference List Copyright © 2014 Fortinet, Inc. All Rights Reserved 7 8 8 8 9 9 9 10 10 10 11 11 13 16 125 3 Introduction FortiAnalyzer v5.0.8 Datasets Introduction This document provides information about the various types of FortiAnalyzer datasets which are created based on the FortiGate log SQL tables and messages. These datasets are used to create charts and reports. It describes the procedure for creating custom datasets, and also lists the types of log tables used to assist in writing SQL queries to create the datasets. Copyright © 2014 Fortinet, Inc. All Rights Reserved 5 Overview FortiAnalyzer v5.0.8 Datasets Overview FortiAnalyzer uses the PostgreSQL and remote MySQL databases to store the log data generated by the FortiGate. To create a chart based on the FortiGate logs in a local or remote database, you can use either the predefined datasets, or create your own custom datasets by querying the logs in the SQL database in FortiAnalyzer. This chapter includes the following topics: 6 Understanding Datasets and Macros 7 Creating Custom Datasets To create a custom dataset in the web-based manager 8 8 Testing SQL Query Examples of SQL Query Errors 8 9 Examples of Custom Datasets Example 1: Distribution of applications by type in the last 24 hours Example 2: Top 100 applications by bandwidth in the last 24 hours 10 10 11 Log Database Tables 13 Copyright © 2014 Fortinet, Inc. Overview FortiAnalyzer v5.0.8 Datasets Understanding Datasets and Macros FortiAnalyzer datasets are collections of log messages from monitored devices. If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL Database, it does not create log tables for that device. Charts in FortiAnalyzer are generated based on the datasets. To create a chart, you can use either the predefined datasets, or create your own custom datasets by querying the log messages in the SQL database on the FortiAnalyzer unit. Both predefined and custom datasets can be cloned, but only custom datasets can be deleted. You can also view the SQL query for a dataset, and test the query against specific devices or log arrays. You can create custom reports that contain macros created based on predefined and custom datasets. Macros are used to dynamically display the device log data as text in a report. They can be embedded within a text field of a paragraph in a report layout in XML format. Macros display a single value, such as a user name, highest session count, or highest bandwidth etc. To view and configure datasets, go to Reports > Advanced > Dataset in the left navigation pane of the webbased manager. For more information, refer to the Dataset section in the FortiAnalyzer Administration Guide. To view and configure macros, go to Reports> Macro Library in the left navigation pane of the web-based manager. For more information, refer to the Macro Library section in the FortiAnalyzer Administration Guide. N o te : Fo rti An a l yze r v5 .0 Pa tch R e l e a se 5 i n tro d u ce d n e w d a ta se ts fo r SIP a n d SC C P. Fo rti An a l yze r v5 .0 Pa tch R e l e a se 6 i n tro d u ce s n e w d a ta se ts fo r Bo tn e t (Bo tn e t-Acti vi ty-By-So u rce s, Bo tn e t-In fe cte d -H o sts, Bo tn e t-So u rce s, Bo tn e t-Ti me l i n e , a n d D e te cte d -Bo tn e t). Copyright © 2014 Fortinet, Inc. All Rights Reserved 7 Overview FortiAnalyzer v5.0.8 Datasets Creating Custom Datasets This section describes the procedure to create datasets in the FortiAnalyzer web-based manager. To create a custom dataset in the web-based manager 1. Go to Reports> Advanced > Dataset. 2. Click Create New. 3. Configure the following, then click OK. The following table describes the GUI fields of the New Dataset dialog box. Field Description Name Name of the data set. Log Type Log Type to be used for the data set. $log is used in the SQL query to represent the log type you select, and it is run against all tables of this type. Devices Select All Devices to create datasets on all of FortiAnalyzer managed devices. or select Specify to choose a device on which you want to create the dataset. Query Enter the SQL query syntax to retrieve the log data you want from the SQL database. Time Period Select to use logs from a time frame. Select Other to define a custom time frame by selecting the Start Time and End Time. $filter is used in the SQL query "where" clause to limit the results to the period you select. Test Click to test whether or not the SQL query is successful. Testing SQL Query You can verify the SQL query that you used to create the custom dataset before saving the dataset configuration by testing and viewing the query results. 8 Copyright © 2014 Fortinet, Inc. Overview FortiAnalyzer v5.0.8 Datasets To test a SQL query: 1. Click Test after entering the SQL query in the New Dataset dialog box. The query results are displayed. If the query is not successful, an error message appears in the results pane. Examples of SQL Query Errors Here are some example error messages and possible causes: Syntax Errors You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near... (local/PostgreSQL) • Check that SQL keywords are spelled correctly, and that the query is well-formed. • Table and column names are demarked by grave accent (`) characters. Single (') and double (") quotation marks will cause an error. No data is covered. • The query is correctly formed, but no data has been logged for the log type. Check that you have configured the FortiAnalyzer unit to save that log type. Under System > Config > SQL Database, ensure that the log type is checked. Connection Errors If well formed queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database. Ensure that: • MySQL is running and using the default port3306. • You have created an empty database and a user with create permissions for the database. Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database: #Mysql –u root –p mysql> Create database fazlogs; mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’; mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’; For more information about using SQL queries for creating datasets, refer to the FortiAnalyzer™ and FortiGate™ Version 4.0 MR2 SQL Log Database Query Technical Note on the Fortinet Documentation Library at docs.fortinet.com. Copyright © 2014 Fortinet, Inc. All Rights Reserved 9 Overview FortiAnalyzer v5.0.8 Datasets Examples of Custom Datasets The following examples illustrate how to create custom datasets using the web-based manager GUI. Once created, you can use the datasets to configure chart templates under Reports > Chart Library. Example 1: Distribution of applications by type in the last 24 hours GUI Procedure 1. Go to Reports> Advanced > Dataset. 2. Click Create New. 3. Select Application Control under Log Type. 4. Enter a name, such as "apps_type_24hrs". 5. Select Last N Hours under Time Period. 6. Enter the query: SELECT app_type, COUNT( * ) AS totalnum FROM $log WHERE $filter 10 Copyright © 2014 Fortinet, Inc. Overview FortiAnalyzer v5.0.8 Datasets AND app_type IS NOT NULL GROUP BY app_type ORDER BY totalnum DESC Notes: • $filter restricts the query result to the time period specified; in this case, it’s the past 24 hours. • $log queries all application control logs • The application control module classifies each firewall session in app_type. One firewall session may be classified to multiple app_types. For example, an HTTPsession can be classified to: HTTP, Facebook, etc. • Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or ‘N/A’. These will be ignored by this query. • The result is ordered by the total session number of the same app_type. The most frequent app_types will appear first. Example 2: Top 100 applications by bandwidth in the last 24 hours GUI Procedure 1. Go to Reports> Advanced > Dataset. 2. Click Create New. 3. Select Application Control under Log Type. 4. Enter a name, such as "top_100_aps_24hrs". 5. Select Last N Hours under Time Period. 6. Enter the query: SELECT ( TIMESTAMP - TIMESTAMP %3600 ) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume FROM $log WHERE $filter and app IS NOT NULL GROUP BY app ORDER BY volume DESC LIMIT 100 Notes: • (timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to indicate bandwidth per hour. • SUM( sent + rcvd ) AS volume - this calculates the total sent and received bytes. • ORDER BY volume DESC - this orders the results by descending volume (largest volume first). • LIMIT 100 - this lists only the top 100 applications. Copyright © 2014 Fortinet, Inc. All Rights Reserved 11 Overview FortiAnalyzer v5.0.8 Datasets 12 Copyright © 2014 Fortinet, Inc. Overview FortiAnalyzer v5.0.8 Datasets Log Database Tables The FortiAnalyzer and FortiGate units create SQL database tables to record log data. These tables are generated for high log rate and low log rate devices. The naming convention for the log SQL tables is: High log rate: <devtype>]-ADOM[<admon_oid><log-type>-timestamp] and Low log rate: <devtype>ADOM<adom_oid>-ALLELSE-<log-type>-<timestamp>-<delta-timestamp> where the device type can be any one of the following: Example: FGTADOM141-tlog-0, FGTADOM141-ALLELSE-tlog-0-0 <devtype> : "FGT/FMG/FML/FCT/FWB/FCH/FAZ/SYS/..." {"FGT", {"FMG", {"SYS", {"FCT", {"FML", {"FWB", {"FCH", {"FAZ", {"FSA", "FortiGate"}, "FortiManager"}, "Syslog"}, "FortiClient"}, "FortiMail"}, "FortiWeb"}, "FortiCache"}, "FortiAnalyzer"}, "FortiSandbox"}, Log Types and SQL Tables Log Type SQL Table Type Description Traffic tlog The traffic log records all traffic to and through the FortiGate interface. Event elog The event log records management and activity events. For example, when an administrator logs in or logs out of the web-based manager. Antivirus vlog The antivirus log records virus incidents in Web, FTP, and email traffic. Webfilter wlog The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs. Attack attack_log The attack log records attacks that are detected and prevented by the FortiGate unit. Data Leak dlog Prevention The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a company does not want entering their network. Application rlog Control The application control log records data detected by the FortiGate unit and the action taken against the network traffic depending on the application that is generating the traffic, for example, instant messaging software, such as MSN Messenger. Copyright © 2014 Fortinet, Inc. All Rights Reserved 13 Overview FortiAnalyzer v5.0.8 Datasets Log Type SQL Table Type Description Spamfilter spamfilter_ The spam filter log records blocking of email address patterns and content in SMTP, IMAP, log and POP3 traffic. Content clog The content log records all network content that is transmitted through the network. Netscan nlog The netscan log records data related to network security and scan. Sniffer xlog The sniffer log records each packet raw data for traffic bottlenecks. VOIP plog The VOIP log records detailed protocol specific logs for VOIP traffic. To view all the tables created in a database, use the following commands: • local (PostgreSQL) database: SELECT * FROM pg_tables • remote (MySQL): SHOW TABLES FortiAnalyzer and FortiGate logs also include log sub-types, which are types of log messages that are within the main log type. For example, in the event log type there are the subtype admin log messages. For more information on FortiGate Log Types and Messages, refer to the FortiOS/FortiGate Log Message Reference Guide on the Fortinet Documentation Library at: docs.fortinet.com. Log Type Sub Type traffic (Traffic Log) • allowed – Policy allowed traffic • violation - Policy violation traffic • other event (Event Log) For FortiGate devices: • system – System activity event • ipsec – IPSec negotiation event • dhcp – DHCP service event • ppp – L2TP/PPTP/PPPoE service event • admin – admin event • ha – HA activity event • auth – Firewall authentication event • pattern – Pattern update event • alertemail – Alert email notifications • chassis – FortiGate-4000 and FortiGate-5000 series chassis event • sslvpn-user – SSL VPN user event • sslvpn-admin – SSL VPN administration event • sslvpn-session – SSL VPN session event • his-performance – performance statistics • vipssl – VIP SSL events • ldb-monitor – LDB monitor events dlp (Data Leak Prevention) • dlp – Data Leak Prevention app-crtl (Application Control Log) • app-crtl-all – All application control virus (Antivirus Log) • infected – Virus infected • filename – Filename blocked • oversize – File oversized webfilter (Web Filter Log) • content – content block • urlfilter – URL filter • FortiGuard block • FortiGuard allowed • FortiGuard error • ActiveX script filter • Cookie script filter • Applet script filter 14 Copyright © 2014 Fortinet, Inc. Overview FortiAnalyzer v5.0.8 Datasets Log Type Sub Type ips (Attack Log) • signature – Attack signature • anomaly – Attack anomaly email filter (Spam Filter Log) • SMTP • POP3 • IMAP Copyright © 2014 Fortinet, Inc. All Rights Reserved 15 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Reference List The following table lists the available predefined data sets applicable to a FortiGate device reported by FortiAnalyzer. For documentation and technical support reference purposes, this table contains the dataset names, SQL query syntax for each dataset, and the log category of the dataset. Dataset Name App-RiskApp-UsageBy-Category App-RiskApplicationActivity-APP App-RiskApplicationsRunningOver-HTTP 16 Description Log Category Query Syntax Application risk application usage by category Traffic SELECT appcat, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(appcat) IS NOT NULL GROUP BY appcat ORDER BY bandwidth DESC SELECT app_group_name(app) AS app_group, appcat, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, count(*) AS num_session FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY app_group, appcat ORDER BY bandwidth DESC Traffic SELECT app_group_name(app) AS app_group, appcat, sum(coalesce(sentbyte, 0)+COALESCE (rcvdbyte, 0)) AS bandwidth, count(*) AS num_session FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY app_group, appcat ORDER BY bandwidth DESC Traffic SELECT app_group_name(app) AS app_group, service, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) Application risk application activity Application risk applications running over HTTP Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND nullifna(app) IS NOT NULL AND service IN ('80/tcp', '443/tcp', 'HTTP', 'HTTPS', 'http', 'https') GROUP BY app_group, service HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC App-RiskApplication Breakdownrisk breakOf-Risk-Applic- down of risk ations applications App-RiskDLP-UTMEvent App-RiskHigh-RiskApplication Application risk DLP UTM event Application risk high risk application Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic SELECT d_behavior, count(*) AS number FROM $log t1 INNER JOIN app_mdata t2 ON t1.appid=t2.id WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND d_risk>0 GROUP BY d_behavior ORDER BY number DESC Traffic SELECT utmsubtype, sum(number) AS number FROM (### (SELECT utmsubtype, count(*) AS number FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent='dlp' AND utmsubtype IS NOT NULL GROUP BY utmsubtype ORDER BY number DESC)### UNION ALL ### (SELECT subtype AS utmsubtype, count(*) AS number FROM $log-dlp WHERE $filter AND subtype IS NOT NULL GROUP BY subtype ORDER BY number DESC)###) t GROUP BY utmsubtype ORDER BY number DESC Traffic SELECT d_risk, d_behavior, t2.id, t2.name, t2.app_cat, t2.technology, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, count(*) AS sessions FROM $log t1 INNER JOIN app_mdata t2 ON t1.appid=t2.id WHERE $filter AND logid_to_int(logid) NOT IN (4, 17 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 7, 14) AND d_behavior IS NOT NULL GROUP BY t2.id ORDER BY d_risk DESC, sessions DESC App-RiskNumber-OfApplicationsBy-Risk-Behavior App-RiskReputationTop-DevicesBy-Scores Application risk number of applicTraffic ations by risk behavior SELECT d_risk, coalesce(d_behavior, 'Other Applications') AS f_behavior, count(*) AS number FROM $log t1 INNER JOIN app_mdata t2 ON t1.appid=t2.id WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY d_risk, d_behavior ORDER BY d_risk DESC, number DESC Application risk reputation top devices by scores Traffic SELECT devtype, coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS dev_src, sum(crscore%65536) AS scores FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY devtype, dev_src HAVING sum(crscore%65536)>0 ORDER BY scores DESC Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(crscore%65536) AS scores FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY user_src HAVING sum(crscore%65536)>0 ORDER BY scores DESC attack SELECT attack, severity, REF, count(*) AS totalnum FROM $log WHERE $filter AND severity='critical' AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, REF ORDER BY totalnum DESC Application App-Riskrisk repuReputationtation top Top-Users-Byusers by Scores scores App-Risk-TopCriticalThreat-Vectors Application risk top critical threat vectors App-Risk-Top- Application High-Threat- risk top high attack Vectors threat vectors 18 SELECT attack, severity, REF, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax count(*) AS totalnum FROM $log WHERE $filter AND severity='high' AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, REF ORDER BY totalnum DESC App-Risk-Top- Application Info-Threatrisk top info attack Vectors threat vectors SELECT attack, severity, REF, count(*) AS totalnum FROM $log WHERE $filter AND severity='info' AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, REF ORDER BY totalnum DESC App-Risk-Top- Application Low-Threatrisk top low attack Vectors threat vectors SELECT attack, severity, REF, count(*) AS totalnum FROM $log WHERE $filter AND severity='low' AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, REF ORDER BY totalnum DESC App-Risk-TopMediumThreat-Vectors SELECT attack, severity, REF, count(*) AS totalnum FROM $log WHERE $filter AND severity='medium' AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, REF ORDER BY totalnum DESC Application risk top attack medium threat vectors App-Risk-Top- Application Threat-Vectrisk top threat attack ors vectors SELECT severity, count(*) AS totalnum FROM $log WHERE $filter GROUP BY severity ORDER BY totalnum DESC Application App-Risk-Top- risk top user User-Source- source by By-Sessions session count SELECT srcip, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS sessions FROM $log WHERE $filter Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic 19 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND logid_to_int(logid) NOT IN (4, 7, 14) AND srcip IS NOT NULL GROUP BY srcip, user_src ORDER BY sessions DESC App-RiskVirus-Discovered Application risk virus dis- Traffic covered SELECT dom, sum(totalnum) AS totalnum FROM (### (SELECT $DAY_OF_MONTH AS dom, count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY dom ORDER BY totalnum DESC)### UNION ALL ### (SELECT $DAY_OF_MONTH AS dom, count(*) AS totalnum FROM $log-virus WHERE $filter AND nullifna(virus) IS NOT NULL AND (eventtype IS NULL OR logver = 52) GROUP BY dom ORDER BY totalnum DESC)###) t GROUP BY dom ORDER BY totalnum DESC Application App-Risk-Vulrisk vulnerability-Disnetscan nerability discovered covered SELECT vuln, vulncat, severity, count(*) AS totalnum FROM $log WHERE $filter AND vuln IS NOT NULL GROUP BY vuln, vulncat, severity ORDER BY totalnum DESC Application App-Riskrisk web Web-Browsbrowsing ing-Activityactivity hostHostname-Catname category egory SELECT DOMAIN, catdesc, sum(visits) AS visits FROM (### (SELECT coalesce(nullifna(hostname), ipstr(`dstip`)) AS DOMAIN, catdesc, count(*) AS visits FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 20 Traffic Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'web-content', 'command-block', 'script-filter') AND catdesc IS NOT NULL AND catdesc !='Unrated' GROUP BY DOMAIN, catdesc ORDER BY visits DESC)### UNION ALL ### (SELECT coalesce(nullifna(hostname), ipstr(`dstip`)) AS DOMAIN, catdesc, count(*) AS visits FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND catdesc IS NOT NULL AND catdesc !='Unrated' GROUP BY DOMAIN, catdesc ORDER BY visits DESC)###) t GROUP BY DOMAIN, catdesc ORDER BY visits DESC Application App-Riskrisk web Web-Browsbrowsing Traffic ing-Summarysummary catCategory egory Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT catdesc, sum(num_sess) AS num_sess, sum(bandwidth) AS bandwidth FROM (### (SELECT catdesc, count(*) AS num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND catdesc IS NOT NULL AND catdesc !='Unrated' GROUP BY catdesc ORDER BY num_sess DESC)### UNION ALL ### (SELECT catdesc, count(*) AS num_sess, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND catdesc IS NOT NULL AND catdesc !='Unrated' GROUP BY catdesc ORDER BY num_sess DESC)###) t 21 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax GROUP BY catdesc ORDER BY num_sess DESC App-SesApplication sions-By-Cat- sessions by egory category app-TopAllowedApplicationsby-Bandwidth app-TopBlockedApplicationsby-Session Traffic Top allowed applications Traffic by bandwidth usage SELECT FROM_itime(itime) AS TIMESTAMP, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appcat, app, coalesce(root_domain(hostname), ipstr(dstip)) AS destination, sum(coalesce(`sentbyte`, 0)+coalesce(`rcvdbyte`, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND action IN ('accept', 'close', 'timeout') GROUP BY TIMESTAMP, user_src, appcat, app, destination ORDER BY bandwidth DESC Top blocked applications by session SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appcat, app, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND action IN ('deny', 'blocked', 'reset', 'dropped') GROUP BY user_src, appcat, app ORDER BY sessions DESC Traffic Top category app-Top-Catand applicegory-andations by Traffic Applicationsbandwidth by-Bandwidth usage 22 SELECT appcat, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(appcat) IS NOT NULL GROUP BY appcat ORDER BY sessions DESC SELECT appcat, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appcat, app HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC app-Top-Category-andApplicationsby-Session Top category and applicTraffic ations by session SELECT appcat, app, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appcat, app ORDER BY sessions DESC appctrl-TopAppctrl top Blockedblocked app-ctrl SCCP-Callers SCCP callers SELECT srcname AS caller, count(*) AS totalnum FROM $log WHERE $filter AND lower(appcat)='voip' AND app='sccp' AND action='block' AND srcname IS NOT NULL GROUP BY caller ORDER BY totalnum DESC appctrl-TopBlocked-SIPCallers app-ctrl SELECT srcname AS caller, count(*) AS totalnum FROM $log WHERE $filter AND srcname IS NOT NULL AND lower(appcat)='voip' AND app='sip' AND action='block' GROUP BY caller ORDER BY totalnum DESC Traffic SELECT $flex_timescale AS hodex, count(*) AS counter FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex ORDER BY hodex Traffic SELECT coalesce(nullifna(root_domain(hostname)), ipstr(`dstip`)) AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) ApplicationSession-History bandwidthapp-Top-DestBy-Bandwidth-Sessions Appctrl top blocked SIP callers Application session history Bandwidth application top dest by bandwidth usage sessions Copyright © 2014 Fortinet, Inc. All Rights Reserved 23 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax GROUP BY appid, DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC bandwidthapp-TopUsers-ByBandwidth Bandwidth application top users by bandwidth usage Traffic Bandwidth bandwidthapplication app-Traffictraffic by act- Traffic By-Activeive user numUser-Number ber SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC SELECT hodex, count(distinct(user_src)) AS total_user FROM ### (SELECT $flex_timescale AS hodex, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr (`srcip`)) AS user_src FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex, user_src ORDER BY hodex)### t GROUP BY hodex ORDER BY hodex DROP TABLE IF EXISTS stats_temp; CREATE TEMPORARY TABLE stats_temp(total_sessions varchar(255), total_ bandwidth varchar(255), ave_session varchar(255), ave_bandwidth varchar(255), active_date varchar(255), total_users varchar(255), total_app varchar(255), total_dest varchar(255)); bandwidthapp-TrafficStatistics 24 Bandwidth application traffic statistics Traffic INSERT INTO stats_temp (total_sessions, total_bandwidth, ave_session, ave_bandwidth) SELECT format_numeric_no_decimal(sum(sessions)) AS total_sessions, bandwidth_unit(sum(bandwidth)) AS total_bandwidth, format_numeric_no_decimal(cast(sum(sessions)/$days_num AS decimal(18, 0))) AS ave_session, bandwidth_unit(cast(sum(bandwidth)/$days_num AS decimal(18, 0))) AS ave_bandwidth FROM ### (SELECT count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND ${LOCAL_EXCLUSIVE})### t; UPDATE stats_temp SET active_date=t1.dom FROM (SELECT dom, sum(sessions) AS sessions FROM ### (SELECT $DAY_OF_MONTH AS dom, count(*) AS sessions FROM $log WHERE $filter AND ${LOCAL_EXCLUSIVE} GROUP BY dom ORDER BY sessions)### t GROUP BY dom ORDER BY sessions DESC LIMIT 1) AS t1; UPDATE stats_temp SET total_users=t2.totalnum FROM (SELECT format_numeric_no_decimal(count(distinct(user_src))) AS totalnum FROM ### (SELECT distinct(coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`))) AS user_src FROM $log WHERE $filter AND ${LOCAL_EXCLUSIVE})### t) AS t2; UPDATE stats_temp SET total_app=t3.totalnum FROM (SELECT format_numeric_no_decimal(count(distinct(app_group_ name(app)))) AS totalnum FROM ### (SELECT distinct(app_group_name(app)) AS app FROM $log WHERE $filter AND ${LOCAL_EXCLUSIVE})### t) AS t3; UPDATE stats_temp SET total_dest=t4.totalnum FROM (SELECT format_numeric_no_decimal(count(distinct(dstip))) AS totalnum FROM ### (SELECT distinct(dstip) AS dstip FROM $log WHERE $filter AND ${LOCAL_EXCLUSIVE})### t) AS t4; SELECT 'Total Sessions' AS summary, total_sessions AS stats FROM stats_temp UNION ALL SELECT 'Total Bytes Transferred' AS summary, total_bandwidth AS stats FROM stats_temp Copyright © 2014 Fortinet, Inc. All Rights Reserved 25 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax UNION ALL SELECT 'Most Active Date By Sessions' AS summary, active_date AS stats FROM stats_temp UNION ALL SELECT 'Total Users' AS summary, total_users AS stats FROM stats_temp UNION ALL SELECT 'Total Applications' AS summary, total_app AS stats FROM stats_temp UNION ALL SELECT 'Total Destinations' AS summary, total_dest AS stats FROM stats_temp UNION ALL SELECT 'Average Sessions Per Day' AS summary, ave_session AS stats FROM stats_temp UNION ALL SELECT 'Average Bytes Per Day' AS summary, ave_bandwidth AS stats FROM stats_temp Botnet-Activ- Botnet activTraffic ity-By-Sources ity by sources SELECT app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' AND nullifna(app) IS NOT NULL GROUP BY app, user_src ORDER BY events DESC Botnet-Infected-Hosts Botnet infected hosts Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, coalesce(srcname, srcmac) AS host_mac, count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' GROUP BY user_src, devtype, host_mac ORDER BY events DESC BotnetSources Botnet sources Traffic 26 SELECT dstip, root_domain(hostname) AS DOMAIN, count(*) AS events FROM $log Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' AND dstip IS NOT NULL GROUP BY dstip, DOMAIN ORDER BY events DESC BotnetTimeline Botnet timeline Botnet-Victims Botnet victims contentCount-TotalSCCP-CallRegistrationsby-Hour-ofDay Content count total SCCP call registrations by hour of day contentCount-TotalSCCP-CallsDuration-byHour-of-Day contentCount-TotalSCCP-Callsper-Status Content count total SCCP calls duration by hour of day Content count total SCCP calls per status Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic SELECT $flex_timescale AS hodex, count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' GROUP BY hodex ORDER BY hodex DESC Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' AND srcip IS NOT NULL GROUP BY user_src ORDER BY events DESC content SELECT $hour_of_day AS hourstamp, count(*) AS totalnum FROM $log WHERE $filter AND proto='sccp' AND kind='register' GROUP BY hourstamp ORDER BY hourstamp content SELECT $hour_of_day AS hourstamp, sum(duration) AS sccp_usage FROM $log WHERE $filter AND proto='sccp' AND kind='call-info' AND status='end' GROUP BY hourstamp ORDER BY hourstamp content SELECT status, count(*) AS totalnum FROM $log WHERE $filter AND proto='sccp' AND kind='call-info' GROUP BY status ORDER BY totalnum DESC 27 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name contentCount-TotalSIP-CallRegistrationsby-Hour-ofDay contentCount-TotalSIP-Calls-perStatus content-DistTotal-SIPCalls-by-Duration default-APDetectionSummary-byStatus-OffWire 28 Description Log Category Query Syntax Content count total SIP call regis- content trations by hour of day SELECT $hour_of_day AS hourstamp, count(*) AS totalnum FROM $log WHERE $filter AND proto='sip' AND kind='register' GROUP BY hourstamp ORDER BY hourstamp Content count total SIP calls per status content SELECT status, count(*) AS totalnum FROM $log WHERE $filter AND proto='sip' AND kind='call' GROUP BY status ORDER BY totalnum DESC Content dist total SIP calls content by duration SELECT (CASE WHEN duration < 60 THEN 'LESS_ONE_MIN' WHEN duration < 600 THEN 'LESS_TEN_MIN' WHEN duration < 3600 THEN 'LESS_ONE_HOUR' WHEN duration >= 3600 THEN 'MORE_ONE_HOUR' ELSE 'unknown' END) AS f_duration, count(*) AS totalnum FROM $log WHERE $filter AND proto='sip' AND kind='call' AND status='end' GROUP BY f_duration ORDER BY totalnum DESC Default access point detection event summary by status offwire SELECT (CASE apstatus WHEN 1 THEN 'rogue' WHEN 2 THEN 'accepted' WHEN 3 THEN 'suppressed' ELSE 'others' END) AS ap_full_status, count(*) AS totalnum FROM (SELECT apstatus, bssid, ssid FROM ### (SELECT apstatus, bssid, ssid, count(*) AS subtotal FROM $log WHERE $filter AND apstatus IS NOT NULL AND apstatus!=0 AND bssid IS NOT NULL AND onwire='no' AND logid_to_int(logid) IN (43527, 43521, 43525) GROUP BY apstatus, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax bssid, ssid ORDER BY subtotal DESC)### t GROUP BY apstatus, bssid, ssid) t GROUP BY ap_full_status ORDER BY totalnum DESC default-APDetectionSummary-byStatus-OnWire default-EmailTop-Receivers-By-Bandwidth Default access point detection event summary by status onwire SELECT (CASE apstatus WHEN 1 THEN 'rogue' WHEN 2 THEN 'accepted' WHEN 3 THEN 'suppressed' ELSE 'others' END) AS ap_full_status, count(*) AS totalnum FROM (SELECT apstatus, bssid, ssid FROM ### (SELECT apstatus, bssid, ssid, count(*) AS subtotal FROM $log WHERE $filter AND apstatus IS NOT NULL AND apstatus!=0 AND bssid IS NOT NULL AND onwire='yes' AND logid_to_int(logid) IN (43527, 43521, 43525) GROUP BY apstatus, bssid, ssid ORDER BY subtotal DESC)### t GROUP BY apstatus, bssid, ssid) t GROUP BY ap_full_status ORDER BY totalnum DESC Default email top receivers Traffic by bandwidth usage SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', Copyright © 2014 Fortinet, Inc. All Rights Reserved 29 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax '993/tcp', 'pop3s', 'POP3S', '995/tcp') GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC default-Email- Default email Top-Receivtop receivers Traffic ers-By-Count by count SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') GROUP BY user_src ORDER BY requests DESC Default email default-Emailtop senders Top-SendersTraffic by bandwidth By-Bandwidth usage SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Default mandefault-Managed access aged-AP-Sumevent point summary mary SELECT (CASE WHEN (action LIKE '%join%' AND logid_to_int(logid)=43522) THEN 'Authorized' ELSE 'Unauthorized' END) AS ap_status, count(*) AS totalnum FROM $log WHERE $filter AND logid_to_int(logid)=43522 GROUP BY ap_status ORDER BY totalnum DESC 30 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name defaultSELECTedAP-DetailsOffWire defaultSELECTedAP-DetailsOnWire Description Log Category Query Syntax Default SELECTed access point event details offwire SELECT (CASE apstatus WHEN 0 THEN 'unclassified' WHEN 1 THEN 'rogue' WHEN 2 THEN 'accepted' WHEN 3 THEN 'suppressed' ELSE 'others' END) AS ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, FROM_dtime(min(dtime)) AS first_seen, FROM_dtime(max(dtime)) AS last_seen, detectionmethod, itime, onwire AS on_wire FROM $log WHERE $filter AND apstatus IS NOT NULL AND bssid IS NOT NULL AND onwire='no' AND logid_to_int(logid)=43521 GROUP BY ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus Default SELECTed access point event details onwire SELECT (CASE apstatus WHEN 0 THEN 'unclassified' WHEN 1 THEN 'rogue' WHEN 2 THEN 'accepted' WHEN 3 THEN 'suppressed' ELSE 'others' END) AS ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, FROM_dtime(min(dtime)) AS first_seen, FROM_dtime(max(dtime)) AS last_seen, detectionmethod, itime, onwire AS on_wire Copyright © 2014 Fortinet, Inc. All Rights Reserved 31 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM $log WHERE $filter AND apstatus IS NOT NULL AND bssid IS NOT NULL AND onwire='yes' AND logid_to_int(logid)=43521 GROUP BY ap_full_status, devid, vd, ssid, bssid, manuf, rssi, channel, radioband, detectionmethod, itime, onwire, apstatus Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND vpntype IN ('ipsec-dynamic', 'sslvpn') GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') GROUP BY user_src ORDER BY requests DESC Default top default-TopIPsec VPN IPSEC-Vpndial up user event Dial-Up-Userby bandwidth By-Bandwidth usage SELECT user_src, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth FROM ### (SELECT coalesce(nullifna(`xauthuser`), nullifna(ùser`), ipstr (`remip`)) AS user_src, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, default-TopDial-Up-UserOf-Vpn-Tunnel-By-Bandwidth default-TopEmailSenders-ByCount 32 Default top dial up user of VPN tunnel by bandwidth usage Default top email senders by count Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax max (coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ipsec%' AND action='tunnel-stats' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND tunnelid IS NOT NULL GROUP BY user_src, tunnelid ORDER BY tunnelid)### t GROUP BY user_src HAVING sum(sent_end-sent_beg+rcvd_endrcvd_beg)>0 ORDER BY bandwidth DESC default-TopSources-OfSSL-VPN-Tunnels-By-Bandwidth Default top sources of SSL VPN tun- event nels by bandwidth usage Default default-Unclasunclassified sified-AP-Sumevent access point mary summary Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT remip AS remote_ip, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth FROM ### (SELECT remip, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce (rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND tunneltype LIKE 'ssl%' AND remip IS NOT NULL AND subtype='vpn' AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY tunnelid, remip ORDER BY tunnelid)### t GROUP BY remote_ip HAVING sum(sent_end-sent_beg+rcvd_endrcvd_beg)>0 ORDER BY bandwidth DESC SELECT (CASE onwire WHEN 'no' THEN 'off-wire' WHEN 'yes' THEN 'on-wire' ELSE 'others' END) AS ap_status, count(*) AS totalnum FROM ### (SELECT onwire, ssid, bssid, count(*) AS subtotal FROM $log WHERE $filter 33 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND apstatus=0 AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525, 43527) GROUP BY onwire, ssid, bssid ORDER BY subtotal DESC)### t GROUP BY ap_status ORDER BY totalnum DESC DetailedApplicationUsage Detailed application usage Traffic SELECT appid, app, appcat, (CASE utmaction WHEN 'blocked' THEN 'Blocked' ELSE 'Allowed' END) AS custaction, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, count(*) AS num_session FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL AND policyid != 0 GROUP BY appid, app, appcat, custaction ORDER BY bandwidth DESC Detected-Bot- Detected botTraffic net net SELECT app, count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' AND nullifna(app) IS NOT NULL GROUP BY app ORDER BY events DESC Drilldown top drilldown-Topapplications App-By-BandTraffic by bandwidth width usage SELECT appid, app, sum(bandwidth) AS bandwidth FROM ### (SELECT appid, app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth 34 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND nullifna(app) IS NOT NULL GROUP BY appid, app HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC Drilldown top drilldown-Topapplications App-By-SesTraffic by session sions count SELECT appid, app, sum(sessions) AS sessions FROM ### (SELECT appid, app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND nullifna(app) IS NOT NULL GROUP BY appid, app ORDER BY sessions DESC drilldown-Top- Drilldown top attack Attack-Dest attack dest SELECT dstip, sum(totalnum) AS totalnum FROM ### (SELECT srcip, dstip, count(*) AS totalnum FROM $log Copyright © 2014 Fortinet, Inc. All Rights Reserved 35 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter-exclude-var GROUP BY srcip, dstip ORDER BY totalnum DESC)### t WHERE $filter-var-ONLY AND dstip IS NOT NULL GROUP BY dstip ORDER BY totalnum DESC drilldown-Top- Drilldown top attack Attack-List attack list SELECT FROM_itime(itime) AS TIMESTAMP, attack, srcip, dstip FROM ### (SELECT itime, attack, srcip, dstip FROM $log WHERE $filter-exclude-var ORDER BY itime DESC)### t WHERE $filter-var-ONLY ORDER BY itime DESC drilldown-Top- Drilldown top attack Attack-Source attack source SELECT srcip, sum(totalnum) AS totalnum FROM ### (SELECT srcip, dstip, count(*) AS totalnum FROM $log WHERE $filter-exclude-var GROUP BY srcip, dstip ORDER BY totalnum DESC)### t WHERE $filter-var-ONLY AND srcip IS NOT NULL GROUP BY srcip ORDER BY totalnum DESC Drilldown top drilldown-Topdestination DestinationTraffic by bandwidth By-Bandwidth usage SELECT dstip, sum(bandwidth) AS bandwidth FROM ### (SELECT appid, app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, 36 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND dstip IS NOT NULL GROUP BY dstip HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC Drilldown top drilldown-Topdestination DestinationTraffic by session By-Sessions count SELECT dstip, sum(sessions) AS sessions FROM ### (SELECT appid, app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND dstip IS NOT NULL GROUP BY dstip ORDER BY sessions DESC drilldown-TopEmailReceiver-ByCount SELECT recipient, sum(requests) AS requests FROM (### (SELECT recipient, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', Drilldown top email Traffic receiver by count Copyright © 2014 Fortinet, Inc. All Rights Reserved 37 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY recipient, sender ORDER BY requests DESC)### UNION ALL ### (SELECT `to` AS recipient, `FROM` AS sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND eventtype IS NULL GROUP BY `to`, `FROM` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND recipient IS NOT NULL GROUP BY recipient ORDER BY requests DESC drilldown-TopEmailReceiver-ByVolume 38 Drilldown top email Traffic receiver by volume SELECT recipient, sum(bandwidth) AS volume FROM (### (SELECT recipient, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY recipient, sender ORDER BY requests DESC)### UNION ALL ### (SELECT `to` AS recipient, `FROM` AS sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND eventtype IS NULL GROUP BY `to`, `FROM` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND recipient IS NOT NULL GROUP BY recipient HAVING sum(bandwidth)>0 ORDER BY volume DESC drilldown-TopEmailReceiveSender-ByCount Drilldown top email receive Traffic sender by count Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT sender, sum(requests) AS requests FROM (### (SELECT recipient, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 39 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY recipient, sender ORDER BY requests DESC)### UNION ALL ### (SELECT `to` AS recipient, `FROM` AS sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND eventtype IS NULL GROUP BY `to`, `FROM` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND sender IS NOT NULL GROUP BY sender ORDER BY requests DESC drilldown-TopEmailReceiveSender-ByVolume 40 Drilldown top email receive Traffic sender by volume SELECT sender, sum(bandwidth) AS volume FROM (### (SELECT recipient, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY recipient, sender ORDER BY requests DESC)### UNION ALL ### (SELECT `to` AS recipient, `FROM` AS sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') AND eventtype IS NULL GROUP BY `to`, `FROM` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND sender IS NOT NULL GROUP BY sender HAVING sum(bandwidth)>0 ORDER BY volume DESC drilldown-Top- Drilldown top Email-Sender- email sender Traffic By-Count by count Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT sender, sum(requests) AS requests FROM (### (SELECT sender, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND utmevent IN ('general-email-log', 41 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'spamfilter') GROUP BY sender, recipient ORDER BY requests DESC)### UNION ALL ### (SELECT `FROM` AS sender, `to` AS recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND eventtype IS NULL GROUP BY `FROM`, `to` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND sender IS NOT NULL GROUP BY sender ORDER BY requests DESC drilldown-Top- Drilldown top Email-Sender- email sender Traffic By-Volume by volume 42 SELECT sender, sum(bandwidth) AS volume FROM (### (SELECT sender, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY sender, recipient ORDER BY requests DESC)### UNION ALL ### (SELECT `FROM` AS sender, `to` AS recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND eventtype IS NULL GROUP BY `FROM`, `to` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND sender IS NOT NULL GROUP BY sender HAVING sum(bandwidth)>0 ORDER BY volume DESC drilldown-TopEmail-SendRecipient-ByCount Drilldown top email send Traffic recipient by count Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT recipient, sum(requests) AS requests FROM (### (SELECT sender, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY sender, recipient ORDER BY requests DESC)### UNION ALL ### (SELECT `FROM` AS sender, `to` AS recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND eventtype IS NULL GROUP BY `FROM`, 43 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax `to` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND recipient IS NOT NULL GROUP BY recipient ORDER BY requests DESC drilldown-TopEmail-SendRecipient-ByVolume Drilldown top email send Traffic recipient by volume drilldown-Top- Drilldown top User-By-Band- user by band- Traffic width width usage 44 SELECT recipient, sum(bandwidth) AS volume FROM (### (SELECT sender, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND utmevent IN ('general-email-log', 'spamfilter') GROUP BY sender, recipient ORDER BY requests DESC)### UNION ALL ### (SELECT `FROM` AS sender, `to` AS recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-emailfilter WHERE $filter-exclude-var AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') AND eventtype IS NULL GROUP BY `FROM`, `to` ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND recipient IS NOT NULL GROUP BY recipient HAVING sum(bandwidth)>0 ORDER BY volume DESC SELECT user_src, sum(bandwidth) AS bandwidth FROM ### (SELECT appid, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND user_src IS NOT NULL GROUP BY user_src HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC drilldown-Top- Drilldown top User-By-Ses- user by ses- Traffic sions sion count Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT user_src, sum(sessions) AS sessions FROM ### (SELECT appid, app, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, srcintf, dstintf, policyid, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY appid, app, user_src, dstip, srcintf, dstintf, policyid ORDER BY sessions DESC)### t WHERE $filter-var-ONLY AND user_src IS NOT NULL GROUP BY user_src ORDER BY sessions DESC 45 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax drilldown-Top- Drilldown top Website-Bywebsite by Traffic Request request SELECT hostname, sum(requests) AS visits FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, hostname, count(*) AS requests FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL GROUP BY user_src, hostname ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, hostname, count(*) AS requests FROM $log-webfilter WHERE $filter-exclude-var AND eventtype IS NULL AND hostname IS NOT NULL GROUP BY user_src, hostname ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND hostname IS NOT NULL GROUP BY hostname ORDER BY visits DESC drilldown-Top- Drilldown top Web-User-By- web user by Traffic Visit visit SELECT user_src, sum(requests) AS visits FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, hostname, count(*) AS requests FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL GROUP BY user_src, hostname ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, 46 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax hostname, count(*) AS requests FROM $log-webfilter WHERE $filter-exclude-var AND eventtype IS NULL AND hostname IS NOT NULL GROUP BY user_src, hostname ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND user_src IS NOT NULL GROUP BY user_src ORDER BY visits DESC drilldownVirus-Detail EstimatedBrowsingTime Drilldown virus detail Estimated browsing time Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic SELECT FROM_itime(itime) AS TIMESTAMP, virus, user_src, dstip, hostname, recipient FROM (### (SELECT itime, virus, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, dstip, hostname, recipient FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL ORDER BY itime DESC)### UNION ALL ### (SELECT itime, virus, coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, dstip, cast(' ' AS char) AS hostname, cast(' ' AS char) AS recipient FROM $log-virus WHERE $filter-exclude-var AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL ORDER BY itime DESC)###) t WHERE $filter-var-ONLY ORDER BY itime DESC Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum($browse_time) AS browsetime FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 47 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 14) GROUP BY user_src HAVING sum($browse_time)>0 ORDER BY browsetime DESC EstimatedBrowsingTimeEnhanced event-AdminFailed-LoginSummary event-AdminLogin-Summary Estimated browsing time enhanced Event admin failed login summary Event admin login summary Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum($browse_time2) AS browsetime FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src HAVING sum($browse_time2)>0 ORDER BY browsetime DESC event SELECT ùser` AS f_user, ui, count(status) AS total_failed FROM $log WHERE $filter AND nullifna(ùser`) IS NOT NULL AND logid_to_int(logid) = 32002 GROUP BY ui, f_user ORDER BY total_failed DESC event SELECT ùser` AS f_user, ui, sum(CASE WHEN logid_to_int(logid)=32001 THEN 1 ELSE 0 END) AS total_num, sum(CASE WHEN logid_to_int(logid)=32003 THEN duration ELSE 0 END) AS total_duration, count(STATE) AS total_change FROM $log WHERE $filter AND nullifna(ùser`) IS NOT NULL AND logid_to_int(logid) IN (32001, 32003) GROUP BY f_user , ui HAVING sum(CASE WHEN logid_to_int(logid)=32001 THEN 1 ELSE 0 END)>0 ORDER BY total_num DESC event-Admin- Event admin Login-Sumlogin sumevent mary-By-Date mary by date SELECT $flex_timescale AS dom, sum(CASE WHEN logid_to_int(logid)=32001 THEN 1 ELSE 0 END) AS total_num, count(STATE) AS total_change FROM $log WHERE $filter AND nullifna(ùser`) IS NOT NULL AND logid_to_int(logid) IN (32001, 32003) GROUP BY dom HAVING sum(CASE WHEN logid_to_int(logid) =32001 THEN 1 ELSE 0 END)>0 ORDER BY dom event-System- Event system Critical-Sever- critical sever- event ity-Events ity events SELECT msg_desc AS msg, severity, sum(COUNT) AS counts FROM ### (SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE 48 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 'Critical' WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS severity, COUNT(*) AS COUNT FROM $log WHERE $filter AND subtype='system' GROUP BY msg_desc, severity ORDER BY COUNT DESC)### t WHERE severity='Critical' GROUP BY msg, severity ORDER BY counts DESC event-System- Event system High-Severity- high severity event Events events SELECT msg_desc AS msg, severity, sum(COUNT) AS counts FROM ### (SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 'Critical' WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS severity, COUNT(*) AS COUNT FROM $log WHERE $filter AND subtype='system' GROUP BY msg_desc, severity ORDER BY COUNT DESC)### t WHERE severity='High' GROUP BY msg, severity ORDER BY counts DESC event-SystemMediumSeverityEvents SELECT msg_desc AS msg, severity, sum(COUNT) AS counts FROM ### (SELECT coalesce(nullifna(logdesc), msg) AS msg_desc, (CASE WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 'Critical' WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS severity, COUNT(*) AS COUNT FROM $log WHERE $filter AND subtype='system' GROUP BY msg_desc, severity ORDER BY COUNT DESC)### t Event system medium event severity events Copyright © 2014 Fortinet, Inc. All Rights Reserved 49 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE severity='Medium' GROUP BY msg, severity ORDER BY counts DESC event-System- Event system Summary-By- summary by event Date date SELECT $flex_timescale AS dom, sum(CASE WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 1 ELSE 0 END) AS critical, sum(CASE WHEN LEVEL = 'error' THEN 1 ELSE 0 END) AS high, sum(CASE WHEN LEVEL = 'warning' THEN 1 ELSE 0 END) AS medium, sum(CASE WHEN LEVEL = 'notice' THEN 1 ELSE 0 END) AS low, sum(CASE WHEN LEVEL = 'information' OR LEVEL = 'debug' THEN 1 ELSE 0 END) AS info FROM $log WHERE $filter AND subtype='system' GROUP BY dom ORDER BY dom event-System- Event system Summary-By- summary by event Severity severity SELECT (CASE WHEN LEVEL IN ('critical', 'alert', 'emergency') THEN 'Critical' WHEN LEVEL='error' THEN 'High' WHEN LEVEL='warning' THEN 'Medium' WHEN LEVEL='notice' THEN 'Low' ELSE 'Info' END) AS severity, count(*) AS total_num FROM $log WHERE $filter AND subtype='system' GROUP BY severity ORDER BY total_num DESC DROP TABLE IF EXISTS pre_clt_list; DROP TABLE IF EXISTS cur_clt_list; DROP TABLE IF EXISTS allocated_ip; event-TopDHCP-Summary Event top dhcp summary event CREATE TEMPORARY TABLE pre_clt_list AS ### (SELECT concat(interface, '.', devid) AS intf, mac FROM $log WHERE $last3day_period $filter AND logid_to_int(logid) = 26001 AND dhcp_msg = 'Ack' GROUP BY interface, devid, mac)###; CREATE TEMPORARY TABLE cur_clt_list AS ### (SELECT concat(interface, '.', devid) AS intf, mac FROM $log WHERE $filter AND logid_to_int(logid) = 26001 50 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND dhcp_msg = 'Ack' GROUP BY interface, devid, mac)###; CREATE TEMPORARY TABLE allocated_ip AS ### (SELECT t31.intf, percent_of_allocated_ip FROM (SELECT concat(interface, '.', devid) AS intf, CAST((CAST(used AS float)/CAST(total AS float)*100) AS decimal(10,2)) AS percent_of_allocated_ip, itime FROM $log WHERE $filter AND logid_to_int(logid) = 26003 AND total != 0 GROUP BY interface, devid, percent_of_allocated_ip, itime) t31 INNER JOIN (SELECT concat(interface,'.', devid) AS intf, max(itime) AS max_itime FROM $log WHERE $filter AND logid_to_int(logid) = 26003 GROUP BY interface, devid) t32 ON t31.intf = t32.intf AND t31.itime=t32.max_itime)###; SELECT t41.intf AS interface, percent_of_allocated_ip, count(mac) AS new_cli_count FROM (SELECT intf, percent_of_allocated_ip FROM allocated_ip) t41 INNER JOIN (SELECT intf, mac FROM cur_clt_list WHERE (mac NOT IN (SELECT mac FROM pre_clt_list)) GROUP BY intf, mac) t42 ON t41.intf = t42.intf GROUP BY interface, percent_of_allocated_ip ORDER BY interface , percent_of_allocated_ip DESC event-Usage- Event usage CPU CPU Copyright © 2014 Fortinet, Inc. All Rights Reserved event SELECT hourstamp, cast(sum(cpu_usage)/sum(num) AS decimal(6,2)) AS cpu_avg_ usage FROM ### (SELECT $hour_of_day AS hourstamp, sum(cpu) AS cpu_usage, count(*) AS num 51 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM $log WHERE $filter AND subtype='system' AND action='perf-stats' GROUP BY hourstamp)### t GROUP BY hourstamp ORDER BY hourstamp event-Usage- Event usage CPU-SesCPU sessions sions event-Usage- Event usage Mem memory event-Usage- Event usage Sessions sessions event-Wireless-Accepted-Offwire 52 Event wireless accepted off-wire event SELECT hourstamp, cast(sum(sess_usage)/sum(num) AS decimal(10,2)) AS sess_avg_ usage, cast(sum(cpu_usage)/sum(num) AS decimal(6,2)) AS cpu_avg_ usage FROM ### (SELECT $hour_of_day AS hourstamp, sum(cpu) AS cpu_usage, sum(totalsession) AS sess_usage, count(*) AS num FROM $log WHERE $filter AND subtype='system' AND action='perf-stats' GROUP BY hourstamp)### t GROUP BY hourstamp ORDER BY hourstamp event SELECT hourstamp, cast(sum(mem_usage)/sum(num) AS decimal(6,2)) AS mem_avg_ usage FROM ### (SELECT $hour_of_day AS hourstamp, sum(mem) AS mem_usage, count(*) AS num FROM $log WHERE $filter AND subtype='system' AND action='perf-stats' GROUP BY hourstamp)### t GROUP BY hourstamp ORDER BY hourstamp event SELECT hourstamp, cast(sum(sess_usage)/sum(num) AS decimal(10,2)) AS sess_avg_ usage FROM ### (SELECT $hour_of_day AS hourstamp, sum(totalsession) AS sess_usage, count(*) AS num FROM $log WHERE $filter AND subtype='system' AND action='perf-stats' GROUP BY hourstamp)### t GROUP BY hourstamp ORDER BY hourstamp event SELECT 'accepted' AS ap_full_status, devid, vd, ssid, bssid, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'no' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=2 AND onwire='no' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-Accepted-Onwire Event wireless accepted on-wire Copyright © 2014 Fortinet, Inc. All Rights Reserved event SELECT 'accepted' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, 53 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'yes' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=2 AND onwire='yes' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC DROP TABLE IF EXISTS ip_list; event-Wireless-ClientDetails 54 Event wireless client details event CREATE TEMPORARY TABLE ip_list AS SELECT ip, lower(mac) AS lmac, sn, ssid, channel, radioband, min(dtime) AS FIRST, max(dtime) AS LAST FROM $log-event Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter AND ip IS NOT NULL AND mac IS NOT NULL AND sn IS NOT NULL AND ssid IS NOT NULL GROUP BY ip, lmac, sn, ssid, channel, radioband ORDER BY ip; SELECT user_src, ip, lmac, sn, ssid, channel, radioband, FROM_dtime(FIRST) AS first_seen, FROM_dtime(LAST) AS last_seen, cast(volume AS decimal(18,2)) AS bandwidth FROM (SELECT * FROM ip_list INNER JOIN (SELECT user_src, srcip, sum(volume) AS volume FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS volume FROM $log-traffic WHERE $filter-time AND logid_to_int(logid) NOT IN (4, 7, 14) AND srcip IS NOT NULL GROUP BY user_src, srcip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY volume DESC)### t GROUP BY user_src, srcip ORDER BY user_src, srcip) t ON ip_list.ip = t.srcip) t ORDER BY volume DESC event-Wireless-RogueOffwire Event wireless rogue off-wire Copyright © 2014 Fortinet, Inc. All Rights Reserved event SELECT 'rogue' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, 55 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'no' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid IN ('43521', '43525') GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=1 AND onwire='no' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-RogueOnwire 56 Event wireless rogue on-wire event SELECT 'rogue' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax snclosest, 'yes' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=1 AND onwire='yes' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-SuppressedOffwire Event wireless suppressed offwire Copyright © 2014 Fortinet, Inc. All Rights Reserved event SELECT 'suppressed' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'no' AS on_wire FROM ### (SELECT devid, vd, 57 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=3 AND onwire='no' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-SuppressedOnwire 58 Event wireless suppressed onwire event SELECT 'suppressed' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'yes' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax channel, radioband, detectionmethod, snclosest, onwire, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=3 AND onwire='yes' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-Unclassified-Offwire Event wireless unclas- event sified off-wire Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT 'unclassified' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'no' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, 59 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax logid, apstatus, max(dtime) AS last_seen FROM $log WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, logid, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=0 AND onwire='no' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC event-Wireless-Unclassified-Onwire 60 Event wireless unclas- event sified on-wire SELECT 'unclassified' AS ap_full_status, devid, vd, ssid, bssid, manuf, channel, radioband, FROM_dtime(max(last_seen)) AS last_seen, detectionmethod, snclosest, 'yes' AS on_wire FROM ### (SELECT devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus, max(dtime) AS last_seen FROM $log Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter AND bssid IS NOT NULL AND logid_to_int(logid) IN (43521, 43525) GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest, onwire, apstatus ORDER BY last_seen DESC)### t WHERE apstatus=0 AND onwire='yes' GROUP BY devid, vd, ssid, bssid, manuf, channel, radioband, detectionmethod, snclosest ORDER BY last_seen DESC High risk High-Riskapplication ApplicationTraffic by bandwidth By-Bandwidth usage High-RiskApplicationBy-Sessions High risk application by session count Number of number-of-sessession sion-timeline timeline Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT t2.name, d_behavior, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log t1 INNER JOIN app_mdata t2 ON t1.appid=t2.id WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND d_behavior IS NOT NULL GROUP BY t2.name, d_behavior ORDER BY bandwidth DESC Traffic SELECT t2.name, d_behavior, count(*) AS sessions FROM $log t1 INNER JOIN app_mdata t2 ON t1.appid=t2.id WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND d_behavior IS NOT NULL GROUP BY t2.name, d_behavior ORDER BY sessions DESC Traffic SELECT $flex_timescale AS hodex, count(*) AS sessions FROM $log WHERE $filter 61 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex ORDER BY hodex Detected os-Detect-OSoperation sys- Traffic Count tem count SELECT (coalesce(osname, 'Unknown')) AS os, count(*) AS totalnum FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY os ORDER BY totalnum DESC reputationNumber-OfIncidents-ForAll-UsersDevices Traffic SELECT $flex_timescale AS hodex, sum(crscore%65536) AS scores, count(*) AS totalnum FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY hodex HAVING sum(crscore%65536)>0 ORDER BY hodex Traffic SELECT $flex_timescale AS hodex, sum(crscore%65536) AS scores FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY hodex HAVING sum(crscore%65536)>0 ORDER BY hodex Traffic SELECT devtype, coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS dev_src, sum(crscore%65536) AS scores FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY devtype, dev_src HAVING sum(crscore%65536)>0 ORDER BY scores DESC reputationScore-Summary-For-AllUsersDevices reputationTop-DevicesBy-Scores Reputation number of incidents for all users devices Reputation score summary for all users devices Reputation top devices by scores DROP TABLE IF EXISTS prd1_dev_tbl; reputationTop-DevicesWithIncreasedScores 62 Reputation top devices with increased scores DROP TABLE IF EXISTS prd2_dev_tbl; Traffic CREATE TEMPORARY TABLE prd1_dev_tbl AS ### (SELECT coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS f_device, devtype, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax sum(crscore%65536) AS sum_rp_score FROM $log WHERE $pre_period $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY f_device, devtype HAVING sum(crscore%65536)>0 ORDER BY sum_rp_score DESC)###; CREATE TEMPORARY TABLE prd2_dev_tbl AS ### (SELECT coalesce(nullifna(`srcname`),nullifna(`srcmac`), ipstr(`srcip`)) AS f_device, devtype, sum(crscore%65536) AS sum_rp_score FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY f_device, devtype HAVING sum(crscore%65536)>0 ORDER BY sum_rp_score DESC)###; SELECT t1.f_device, t1.devtype , sum(t1.sum_rp_score) AS t1_sum_score, sum(t2.sum_rp_score) AS t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) AS delta FROM prd1_dev_tbl AS t1 INNER JOIN prd2_dev_tbl AS t2 ON t1.f_device=t2.f_device AND t1.devtype=t2.devtype WHERE t2.sum_rp_score > t1.sum_rp_score GROUP BY t1.f_device, t1.devtype ORDER BY delta DESC reputationReputation Top-Users-By- top users by Scores scores reputationTop-UsersWithIncreasedScores Reputation top users with increased scores Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sum(crscore%65536) AS scores FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY user_src HAVING sum(crscore%65536)>0 ORDER BY scores DESC DROP TABLE IF EXISTS prd1_usr_tbl; Traffic DROP TABLE IF EXISTS prd2_usr_tbl; CREATE TEMPORARY TABLE prd1_usr_tbl AS ### 63 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS f_user, sum(crscore%65536) AS sum_rp_score FROM $log WHERE $pre_period $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY f_user HAVING sum(crscore%65536)>0 ORDER BY sum_rp_score DESC)###; CREATE TEMPORARY TABLE prd2_usr_tbl AS ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS f_user, sum(crscore%65536) AS sum_rp_score FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND crscore IS NOT NULL GROUP BY f_user HAVING sum(crscore%65536)>0 ORDER BY sum_rp_score DESC)###; SELECT t1.f_user, sum(t1.sum_rp_score) AS t1_sum_score, sum(t2.sum_rp_score) AS t2_sum_score, (sum(t2.sum_rp_score)-sum(t1.sum_rp_score)) AS delta FROM prd1_usr_tbl AS t1 INNER JOIN prd2_usr_tbl AS t2 ON t1.f_user=t2.f_user WHERE t2.sum_rp_score > t1.sum_rp_score GROUP BY t1.f_user ORDER BY delta DESC virus SELECT $flex_timescale AS hodex, count(*) AS totalnum FROM $log WHERE $filter AND virus LIKE 'Adware%' GROUP BY hodex ORDER BY hodex DESC Threat threat-Attacksattacks by By-Severity severity attack SELECT (CASE WHEN severity='critical' THEN 'Critical' WHEN severity='high' THEN 'High' WHEN severity='medium' THEN 'Medium' WHEN severity='low' THEN 'Low' WHEN severity='info' THEN 'Info' END) AS severity, count(*) AS totalnum FROM $log WHERE $filter GROUP BY severity ORDER BY totalnum DESC threat-Attacks- Threat attack SELECT attack, (CASE threatAdwareTimeline 64 Threat adware timeline Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Over-HTTPHTTPs Description Log Category Query Syntax attacks over HTTP HTTPs WHEN severity='critical' THEN 'Critical' WHEN severity='high' THEN 'High' WHEN severity='medium' THEN 'Medium' WHEN severity='low' THEN 'Low' WHEN severity='info' THEN 'Info' END) AS severity, count(*) AS totalnum, (CASE WHEN severity='critical' THEN 0 WHEN severity='high' THEN 1 WHEN severity='medium' THEN 2 WHEN severity='low' THEN 3 WHEN severity='info' THEN 4 ELSE 5 END) AS severity_number FROM $log WHERE $filter AND severity IN ('critical', 'high', 'medium') AND upper(service) IN ('HTTP', 'HTTPS') GROUP BY attack, severity, severity_number ORDER BY severity_number, totalnum DESC threat-Critical- Threat critical Severity-Intru- severity intruattack sions sions SELECT attack, vuln_type, count(*) AS totalnum FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND t1.severity = 'critical' GROUP BY attack, vuln_type ORDER BY totalnum DESC threat-HighThreat high Severity-Intru- severity intruattack sions sions SELECT attack, vuln_type, count(*) AS totalnum FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND t1.severity='high' GROUP BY attack, vuln_type ORDER BY totalnum DESC threat-IntrusionsTimeline-BySeverity SELECT $flex_timescale AS timescale, (CASE WHEN severity='critical' THEN 'Critical' WHEN severity='high' THEN 'High' WHEN severity='medium' THEN 'Medium' WHEN severity='low' THEN 'Low' WHEN severity='info' THEN 'Info' END) AS severity, count(*) AS totalnum FROM $log WHERE $filter Threat intrusions timeline by severity Copyright © 2014 Fortinet, Inc. All Rights Reserved attack 65 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax GROUP BY timescale, severity ORDER BY timescale threat-IntruThreat intruattack sion-Timeline sion timeline SELECT $flex_timescale AS hodex, count(*) AS totalnum FROM $log WHERE $filter GROUP BY hodex ORDER BY hodex threat-LowThreat low Severity-Intru- severity intruattack sions sions SELECT attack, vuln_type, count(*) AS totalnum FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND t1.severity='low' GROUP BY attack, vuln_type ORDER BY totalnum DESC threatMediumSeverity-Intrusions SELECT attack, vuln_type, count(*) AS totalnum FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND t1.severity='medium' GROUP BY attack, vuln_type ORDER BY totalnum DESC Threat medium attack severity intrusions threat-SpyThreat spyvirus ware-Timeline ware timeline SELECT $flex_timescale AS hodex, count(*) AS totalnum FROM $log WHERE $filter AND virus LIKE 'Riskware%' GROUP BY hodex ORDER BY hodex DESC threat-TopAdware-byName virus SELECT virus, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log WHERE $filter GROUP BY user_src, virus ORDER BY totalnum DESC)### t WHERE virus LIKE 'Adware%' GROUP BY virus ORDER BY totalnum DESC Traffic SELECT srcip, hostname, count(*) AS totalnum FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, threat-TopAdwareSource 66 Threat top adware by name Threat top adware source Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 14) AND virus LIKE 'Adware%' GROUP BY srcip, hostname ORDER BY totalnum DESC threat-TopAdware-Victims threat-TopAttacksBlocked Threat top adware victims Threat top attacks blocked virus SELECT user_src, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log WHERE $filter GROUP BY user_src, virus ORDER BY totalnum DESC)### t WHERE virus LIKE 'Adware%' GROUP BY user_src ORDER BY totalnum DESC attack SELECT attack, count(*) AS attack_count FROM $log WHERE $filter AND nullifna(attack) IS NOT NULL AND action IN ('deny', 'blocked', 'reset', 'dropped') GROUP BY attack ORDER BY attack_count DESC SELECT attack, severity, sum(attack_count) AS attack_count FROM ### (SELECT attack, severity, (CASE WHEN severity = 'critical' THEN 1 WHEN severity = 'high' THEN 2 WHEN severity = 'medium' THEN 3 WHEN severity = 'low' THEN 4 ELSE 5 END) AS severity_level, threat-TopThreat top Attacks-Detec- attacks detec- attack ted ted threat-TopThreat top Blocked-Intru- blocked intruattack sions sions Copyright © 2014 Fortinet, Inc. All Rights Reserved count(*) AS attack_count FROM $log WHERE $filter AND nullifna(attack) IS NOT NULL GROUP BY attack, severity, severity_level ORDER BY severity_level, attack_count DESC)### t GROUP BY attack, severity, severity_level ORDER BY severity_level, attack_count DESC SELECT attack, (CASE WHEN t1.severity='critical' THEN 'Critical' WHEN t1.severity='high' THEN 'High' WHEN t1.severity='medium' THEN 'Medium' 67 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHEN t1.severity='low' THEN 'Low' WHEN t1.severity='info' THEN 'Info' END) AS severity_name, count(*) AS totalnum, vuln_type, (CASE WHEN t1.severity='critical' THEN 0 WHEN t1.severity='high' THEN 1 WHEN t1.severity='medium' THEN 2 WHEN t1.severity='low' THEN 3 WHEN t1.severity='info' THEN 4 ELSE 5 END) AS severity_number FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND nullifna(attack) IS NOT NULL AND action IN ('deny', 'blocked', 'reset', 'dropped') GROUP BY attack, t1.severity, vuln_type ORDER BY severity_number, totalnum DESC threat-TopThreat top Intrusions-By- intrusions by attack Types types threat-TopIntrusionSources Threat top intrusion sources attack threat-Top- Threat top attack 68 SELECT vuln_type, count(*) AS totalnum FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND vuln_type IS NOT NULL GROUP BY vuln_type ORDER BY totalnum DESC SELECT SOURCE, sum(cri_num) AS critical, sum(high_num) AS high, sum(med_num) AS medium, sum(cri_num + high_num + med_num) AS totalnum FROM ### (SELECT srcip AS SOURCE, sum(CASE WHEN severity='critical' THEN 1 ELSE 0 END) AS cri_num, sum(CASE WHEN severity='high' THEN 1 ELSE 0 END) AS high_num, sum(CASE WHEN severity='medium' THEN 1 ELSE 0 END) AS med_ num FROM $log WHERE $filter AND severity IN ('critical', 'high', 'medium') GROUP BY SOURCE)### t GROUP BY SOURCE ORDER BY totalnum DESC SELECT victim, sum(cri_num) AS critical, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax sum(high_num) AS high, sum(med_num) AS medium, sum(cri_num + high_num + med_num) AS totalnum FROM ### (SELECT dstip AS victim, sum((CASE WHEN severity='critical' THEN 1 ELSE 0 END)) AS cri_num, sum(CASE WHEN severity='high' THEN 1 ELSE 0 END) AS high_num, Intrusion-Victims threat-TopMonitoredIntrusions threat-TopSpyware-byName intrusion victims Threat top monitored intrusions Threat top spyware by name Copyright © 2014 Fortinet, Inc. All Rights Reserved sum(CASE WHEN severity='medium' THEN 1 ELSE 0 END) AS med_ num FROM $log WHERE $filter AND severity IN ('critical', 'high', 'medium') GROUP BY victim)### t GROUP BY victim ORDER BY totalnum DESC attack SELECT attack, (CASE WHEN t1.severity='critical' THEN 'Critical' WHEN t1.severity='high' THEN 'High' WHEN t1.severity='medium' THEN 'Medium' WHEN t1.severity='low' THEN 'Low' WHEN t1.severity='info' THEN 'Info' END) AS severity_name, count(*) AS totalnum, vuln_type, (CASE WHEN t1.severity='critical' THEN 0 WHEN t1.severity='high' THEN 1 WHEN t1.severity='medium' THEN 2 WHEN t1.severity='low' THEN 3 WHEN t1.severity='info' THEN 4 ELSE 5 END) AS severity_number FROM $log t1 LEFT JOIN ips_mdata t2 ON t1.attack=t2.name WHERE $filter AND nullifna(attack) IS NOT NULL AND action NOT IN ('deny', 'blocked', 'reset', 'dropped') GROUP BY attack, t1.severity, vuln_type ORDER BY severity_number, totalnum DESC virus SELECT virus, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log 69 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter GROUP BY user_src, virus ORDER BY totalnum DESC)### t WHERE virus LIKE 'Riskware%' GROUP BY virus ORDER BY totalnum DESC threat-TopSpywareSource threat-TopSpyware-Victims threat-TopVirus-Source 70 Threat top spyware source Threat top spyware victims Threat top virus source Traffic SELECT srcip, hostname, count(*) AS totalnum FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND virus LIKE 'Riskware%' GROUP BY srcip, hostname ORDER BY totalnum DESC virus SELECT user_src, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log WHERE $filter GROUP BY user_src, virus ORDER BY totalnum DESC)### t WHERE virus LIKE 'Riskware%' GROUP BY user_src ORDER BY totalnum DESC Traffic SELECT srcip, hostname, sum(totalnum) AS totalnum FROM (### (SELECT srcip, hostname, count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY srcip, hostname ORDER BY totalnum DESC)### UNION ALL ### (SELECT srcip , ipstr(`dstip`) AS hostname, count(*) AS totalnum FROM $log-virus WHERE $filter AND (eventtype IS NULL OR logver = 52) Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND nullifna(virus) IS NOT NULL GROUP BY srcip, hostname ORDER BY totalnum DESC)###) t GROUP BY srcip, hostname ORDER BY totalnum DESC threat-VirusTimeline Top-App-ByBandwidth Top-App-BySessions Threat virus timeline Top applications by bandwidth usage virus SELECT hodex, sum(totalnum) AS totalnum FROM (### (SELECT $flex_timescale AS hodex, count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY hodex ORDER BY hodex DESC)### UNION ALL ### (SELECT $flex_timescale AS hodex, count(*) AS totalnum FROM $log-virus WHERE $filter AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL GROUP BY hodex ORDER BY hodex DESC)###) t GROUP BY hodex ORDER BY hodex DESC Traffic SELECT app_group_name(app) AS app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY app_group HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Top applications by ses- Traffic sion count Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT app_group_name(app) AS app_group, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY app_group ORDER BY sessions DESC 71 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Top-Destinations-ByBandwidth Description Log Category Query Syntax Top destinations by bandwidth usage Traffic SELECT coalesce(nullifna(root_domain(hostname)), ipstr(dstip)) AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND coalesce(nullifna(root_domain(hostname)), ipstr(`dstip`)) IS NOT NULL GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic SELECT coalesce(nullifna(root_domain(hostname)), ipstr(dstip)) AS DOMAIN, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY DOMAIN ORDER BY sessions DESC Top desTop-Destintinations by ations-By-Sessession sions count Top P2P Top-P2P-App- applications Traffic By-Bandwidth by bandwidth usage SELECT app_group_name(app) AS app_group, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL AND lower(appcat)='p2p' AND action='accept' GROUP BY app_group HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Top P2P Top-P2P-App- applications By-Sessions by session count Traffic SELECT app_group_name(app) AS app_group, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL AND lower(appcat)='p2p' AND action='accept' GROUP BY app_group ORDER BY sessions DESC Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS sessions FROM $log Top-User-BySessions 72 Top user by session count Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src ORDER BY sessions DESC Top users by Top-Users-Bybandwidth Traffic Bandwidth usage Top-UserSource-BySessions Top user source by session count Traffic Top web catTop-Web-Category by egory-bywebfilter bandwidth Bandwidth usage Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, srcip, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND srcip IS NOT NULL GROUP BY user_src, srcip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) >0 ORDER BY bandwidth DESC SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS sessions FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src ORDER BY sessions DESC SELECT catdesc, sum(bandwidth) AS bandwidth FROM (### (SELECT catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter 73 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND (eventtype IS NULL OR logver = 52) GROUP BY catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)###) t GROUP BY catdesc ORDER BY bandwidth DESC Top-Web-Cat- Top web category-by-Ses- egory by ses- webfilter sions sion count SELECT catdesc, sum(sessions) AS sessions FROM (### (SELECT catdesc, count(*) AS sessions FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY catdesc ORDER BY sessions DESC)### UNION ALL ### (SELECT catdesc, count(*) AS sessions FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) GROUP BY catdesc ORDER BY sessions DESC)###) t GROUP BY catdesc ORDER BY sessions DESC Top-WebTop web Sites-by-Band- sites by band- webfilter width width usage SELECT DOMAIN, sum(bandwidth) AS bandwidth FROM (### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth 74 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)###) t GROUP BY DOMAIN ORDER BY bandwidth DESC Top-WebSites-by-Sessions Top web sites by session count webfilter SELECT DOMAIN, sum(sessions) AS sessions FROM (### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, count(*) AS sessions FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY DOMAIN ORDER BY sessions DESC)### UNION ALL ### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, count(*) AS sessions FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) GROUP BY DOMAIN ORDER BY sessions DESC)###) t GROUP BY DOMAIN ORDER BY sessions DESC Total-AttackSource Total attack source attack SELECT count(*) AS totalnum FROM $log WHERE $filter Total-Number- Total number of-Botnetof botnet Traffic Events events Total-Number- Total number Traffic of-Viruses of viruses Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT count(*) AS events FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND appcat='Botnet' AND nullifna(app) IS NOT NULL SELECT sum(totalnum) AS totalnum FROM (### (SELECT count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) 75 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND utmevent IS NOT NULL AND virus IS NOT NULL ORDER BY totalnum DESC)### UNION ALL ### (SELECT count(*) AS totalnum FROM $log-virus WHERE $filter AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL ORDER BY totalnum DESC)###) t Traffic bandTraffic-bandwidth width-timeline timeline Traffic SELECT $flex_timescale AS hodex, sum(coalesce(sentbyte, 0)) AS traffic_out, sum(coalesce(rcvdbyte, 0)) AS traffic_in FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY hodex Traffic-Brows- Traffic browsing-Time-Sum- ing time sum- Traffic mary mary SELECT hodex, cast(sum(delta)/60.0 AS decimal(18, 2)) AS browsetime FROM ### (SELECT $flex_timescale AS hodex, sum($browse_time) AS delta FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex HAVING sum($browse_time)>0 ORDER BY delta DESC)### t GROUP BY hodex ORDER BY hodex Traffic-Browsing-Time-SummaryEnhanced SELECT hodex, cast(sum(delta)/60.0 AS decimal(18, 2)) AS browsetime FROM ### (SELECT $flex_timescale AS hodex, sum($browse_time2) AS delta FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex HAVING sum($browse_time2)>0 ORDER BY delta DESC)### t GROUP BY hodex ORDER BY hodex Traffic browsing time sumTraffic mary enhanced Traffic-History- Traffic history By-Activeby active Traffic User user 76 SELECT hodex, count(distinct(user_src)) AS total_user FROM ### (SELECT $flex_timescale AS hodex, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr (`srcip`)) AS user_src FROM $log Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY hodex, user_src ORDER BY hodex)### t GROUP BY hodex ORDER BY hodex Traffic-TopCategory-ByBrowsingTime Traffic-TopCategory-ByBrowsingTimeEnhanced Traffic-TopDestinationCountries-ByBrowsingTime Traffic top category by Traffic browsing time SELECT catdesc, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth FROM ### (SELECT catdesc, sum($browse_time) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND catdesc IS NOT NULL GROUP BY catdesc HAVING sum($browse_time)>0 ORDER BY delta DESC)### t GROUP BY catdesc ORDER BY browsetime DESC Traffic top category by browsing Traffic time enhanced SELECT catdesc, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth FROM ### (SELECT catdesc, sum($browse_time2) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND catdesc IS NOT NULL GROUP BY catdesc HAVING sum($browse_time2)>0 ORDER BY delta DESC)### t GROUP BY catdesc ORDER BY browsetime DESC Traffic top destination countries by browsing time SELECT dstcountry, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM ### (SELECT dstcountry, sum($browse_time) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic 77 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax sum (coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY dstcountry HAVING sum($browse_time)>0 ORDER BY delta DESC)### t GROUP BY dstcountry ORDER BY browsetime DESC Traffic-TopDestinationCountries-ByBrowsingTimeEnhanced Traffic-TopDomains-ByBrowsingTime Traffic-TopDomains-ByBrowsingTimeEnhanced 78 Traffic top destination countries by browsing time enhanced Traffic top domains by browsing time Traffic top domains by browsing time enhanced Traffic SELECT dstcountry, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM ### (SELECT dstcountry, sum($browse_time2) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum (coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY dstcountry HAVING sum($browse_time2)>0 ORDER BY delta DESC)### t GROUP BY dstcountry ORDER BY browsetime DESC Traffic SELECT hostname, sum($browse_time) AS browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND hostname IS NOT NULL GROUP BY hostname HAVING sum($browse_time)>0 ORDER BY browsetime DESC Traffic SELECT hostname, sum($browse_time2) AS browsetime, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND hostname IS NOT NULL Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax GROUP BY hostname HAVING sum($browse_time2)>0 ORDER BY browsetime DESC Traffic-TopSites-ByBrowsingTime Traffic top sites by browsing time Traffic SELECT hostname, string_agg(DISTINCT catdesc, ', ') AS agg_catdesc, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM ### (SELECT hostname, catdesc, sum($browse_time) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum (coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND hostname IS NOT NULL GROUP BY hostname, catdesc HAVING sum($browse_time)>0 ORDER BY delta DESC)### t GROUP BY hostname ORDER BY browsetime DESC Traffic-TopSites-ByBrowsingTimeEnhanced Traffic top sites by browsing time enhanced Traffic SELECT hostname, string_agg(DISTINCT catdesc, ', ') AS agg_catdesc, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM ### (SELECT hostname, catdesc, sum($browse_time2) AS delta, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum (coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND hostname IS NOT NULL GROUP BY hostname, catdesc HAVING sum($browse_time2)>0 ORDER BY delta DESC)### t GROUP BY hostname ORDER BY browsetime DESC Traffic-Top- Traffic top Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) Copyright © 2014 Fortinet, Inc. All Rights Reserved 79 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Users-ByBandwidth Traffic-TopWeb-UsersBy-BrowsingTime Description Log Category Query Syntax users by bandwidth usage AS user_src, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic top web users by Traffic browsing time SELECT user_src, sum(delta) AS browsetime, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, sum($browse_time) AS delta, sum(coalesce(sentbyte, 0) +coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter GROUP BY user_src HAVING sum($browse_time)>0 ORDER BY delta DESC)### t GROUP BY user_src ORDER BY browsetime DESC Traffic top Traffic-TopWiFi client by WiFi-ClientTraffic bandwidth By-Bandwidth usage SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, srcssid, devtype, coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) GROUP BY user_src, srcssid, devtype, hostname_mac HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic-UserDetail SELECT 'User: ' || string_agg(DISTINCT coalesce(nullifna(ùser`), 'Unknown'), '/') || ' ' || 'Source IP: ' || string_agg(DISTINCT coalesce(ipstr(srcip), 'Unknown'), '/') || ' ' || 'Hostname (MAC): ' || string_agg(DISTINCT coalesce(host_dev, 'Unknown'), '/') || ' ' || 'Source Interface: ' || string_agg(DISTINCT coalesce(nullifna(srcintf), 'Unknown'), '/') || ' 80 Traffic user detail Traffic Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax || 'Devices: ' || string_agg(distinct coalesce(devid, 'UNKNOWN'), '/') AS user_detail FROM ### (SELECT ùser`, srcip, coalesce(nullifna(`srcname`),nullifna(`srcmac`)) AS host_dev, srcintf, devid, count(*) AS events FROM $log WHERE $filter GROUP BY ùser`, srcip, host_dev, srcintf, devid ORDER BY events DESC)### t User drilldown count spam activity emailfilter by hour of day SELECT hourstamp, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, $hour_of_day AS hourstamp, count(*) AS totalnum FROM $log WHERE $filter-exclude-var AND `to` IS NOT NULL AND action IN ('detected', 'blocked') GROUP BY user_src, hourstamp ORDER BY hourstamp)### t WHERE $filter-var-ONLY GROUP BY hourstamp ORDER BY hourstamp user-drilldown-TopAllowed-WebCategories User drilldown top webfilter allowed web categories SELECT catdesc, sum(requests) AS requests FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, catdesc, action, count(*) AS requests FROM $log WHERE $filter-exclude-var AND catdesc IS NOT NULL GROUP BY user_src, catdesc, action ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND action!='blocked' GROUP BY catdesc ORDER BY requests DESC user-drilldown-TopAllowed-WebSites-ByRequests User drilldown top allowed web webfilter sites by requests SELECT hostname, sum(requests) AS requests FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, hostname, action, user-drilldown-CountSpam-Activityby-Hour-ofDay Copyright © 2014 Fortinet, Inc. All Rights Reserved 81 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax count(*) AS requests FROM $log WHERE $filter-exclude-var AND hostname IS NOT NULL GROUP BY user_src, hostname, action ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND action!='blocked' GROUP BY hostname ORDER BY requests DESC SELECT attack, sum(attack_count) AS attack_count FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, attack, (CASE WHEN severity IN ('critical', 'high') THEN 1 ELSE 0 END) AS high_severity, user-drilldown-TopAttacks-ByName User drilldown top attacks by name attack count(*) AS attack_count FROM $log WHERE $filter-exclude-var AND nullifna(attack) IS NOT NULL GROUP BY user_src, attack, high_severity ORDER BY attack_count DESC)### t WHERE $filter-var-ONLY GROUP BY attack ORDER BY attack_count DESC SELECT attack, sum(attack_count) AS attack_count FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, attack, (CASE WHEN severity IN ('critical', 'high') THEN 1 ELSE 0 END) AS high_severity, user-drilldown-TopAttacks-HighSeverity User drilldown top attacks high severity user-drilldown-TopBlocked-WebCategories User drilldown top webfilter blocked web categories 82 attack count(*) AS attack_count FROM $log WHERE $filter-exclude-var AND nullifna(attack) IS NOT NULL GROUP BY user_src, attack, high_severity ORDER BY attack_count DESC)### t WHERE $filter-var-ONLY AND high_severity=1 GROUP BY attack ORDER BY attack_count DESC SELECT catdesc, sum(requests) AS requests FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, catdesc, action, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax count(*) AS requests FROM $log WHERE $filter-exclude-var AND catdesc IS NOT NULL GROUP BY user_src, catdesc, action ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND action='blocked' GROUP BY catdesc ORDER BY requests DESC user-drilldown-TopBlocked-WebSites-ByRequests user-drilldown-TopSpamSources user-drilldown-TopVirus User drilldown top blocked web webfilter sites by requests SELECT hostname, sum(requests) AS requests FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, hostname, action, count(*) AS requests FROM $log WHERE $filter-exclude-var AND hostname IS NOT NULL GROUP BY user_src, hostname, action ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND action='blocked' GROUP BY hostname ORDER BY requests DESC User drilldown top spam sources emailfilter SELECT mf_sender, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, `FROM` AS mf_sender, count(*) AS totalnum FROM $log WHERE $filter-exclude-var AND `FROM` IS NOT NULL AND action IN ('detected', 'blocked') GROUP BY user_src, mf_sender ORDER BY totalnum DESC)### t WHERE $filter-var-ONLY GROUP BY mf_sender ORDER BY totalnum DESC virus SELECT virus, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log WHERE $filter-exclude-var AND nullifna(virus) IS NOT NULL GROUP BY user_src, virus User drilldown top virus Copyright © 2014 Fortinet, Inc. All Rights Reserved 83 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax ORDER BY totalnum DESC)### t WHERE $filter-var-ONLY GROUP BY virus ORDER BY totalnum DESC user-drilldown-TopVirus-Receivers-OverEmail User drilldown top virus receivers over email UTM drillutm-drilldowndown email Email-Receivreceivers ers-Summary summary 84 virus SELECT receiver, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, `to` AS receiver, count(*) AS totalnum FROM $log WHERE $filter-exclude-var AND subtype='infected' AND (service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') OR service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp')) AND nullifna(virus) IS NOT NULL GROUP BY user_src, receiver ORDER BY totalnum DESC)### t WHERE $filter-var-ONLY GROUP BY receiver ORDER BY totalnum DESC Traffic SELECT sum(requests) AS requests, sum(bandwidth) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND recipient IS NOT NULL AND service IN ('pop3', 'POP3', '110/tcp', 'imap', Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') GROUP BY user_src, recipient ORDER BY requests DESC)### t WHERE $filter-var-ONLY utm-drilldownEmailSenders-Summary UTM drilldown email Traffic senders summary SELECT sum(requests) AS requests, sum(bandwidth) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') GROUP BY user_src, sender ORDER BY requests DESC)### t WHERE $filter-var-ONLY SELECT appid, hostname, sum(requests) AS requests FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appid, hostname, (CASE WHEN utmaction='blocked' THEN 1 ELSE 0 END) AS blocked, UTM drillutm-drilldowndown top Top-Allowedallowed web Traffic Web-Sites-Bysites by Request request Copyright © 2014 Fortinet, Inc. All Rights Reserved count(*) AS requests FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL GROUP BY user_src, 85 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax appid, hostname, blocked ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, 0 AS appid, hostname, (CASE WHEN action='blocked' THEN 1 ELSE 0 END) AS blocked, count(*) AS requests FROM $log-webfilter WHERE $filter-exclude-var AND (eventtype IS NULL OR logver = 52) AND hostname IS NOT NULL GROUP BY user_src, appid, hostname, blocked ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND blocked=0 GROUP BY appid, hostname ORDER BY requests DESC SELECT appid, app, sum(bandwidth) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appid, app, sum(coalesce(sentbyte, 0) +coalesce(rcvdbyte, 0)) AS bandwidth, UTM drillutm-drilldowndown top Top-App-By- applications Traffic Bandwidth by bandwidth usage UTM drillutm-drilldowndown top Top-App-By- applications Sessions by session count 86 Traffic count(*) AS sessions FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY user_src, appid, app ORDER BY sessions DESC)### t WHERE $filter-var-ONLY GROUP BY appid, app HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC SELECT appid, app, sum(sessions) AS sessions FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appid, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax app, sum(coalesce(sentbyte, 0) +coalesce(rcvdbyte, 0)) AS bandwidth, count(*) AS sessions FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND nullifna(app) IS NOT NULL GROUP BY user_src, appid, app ORDER BY sessions DESC)### t WHERE $filter-var-ONLY GROUP BY appid, app ORDER BY sessions DESC UTM drillutm-drilldowndown top Top-Attacksattacks by By-Name name attack SELECT attack, sum(attack_count) AS attack_count FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, attack, count(*) AS attack_count FROM $log WHERE $filter-exclude-var AND nullifna(attack) IS NOT NULL GROUP BY user_src, attack ORDER BY attack_count DESC)### t WHERE $filter-var-ONLY GROUP BY attack ORDER BY attack_count DESC SELECT appid, hostname, sum(requests) AS requests FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appid, hostname, (CASE WHEN utmaction='blocked' THEN 1 ELSE 0 END) AS blocked, UTM drillutm-drilldowndown top Top-Blockedblocked web Traffic Web-Sites-Bysites by Request request Copyright © 2014 Fortinet, Inc. All Rights Reserved count(*) AS requests FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL GROUP BY user_src, appid, hostname, blocked 87 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, 0 AS appid, hostname, (CASE WHEN action='blocked' THEN 1 ELSE 0 END) AS blocked, count(*) AS requests FROM $log-webfilter WHERE $filter-exclude-var AND (eventtype IS NULL OR logver = 52) AND hostname IS NOT NULL GROUP BY user_src, appid, hostname, blocked ORDER BY requests DESC)###) t WHERE $filter-var-ONLY AND blocked=1 GROUP BY appid, hostname ORDER BY requests DESC UTM drillutm-drilldowndown top Top-Emailemail recipRecipients ients Traffic SELECT recipient, sum(bandwidth) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, recipient, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('pop3', 'POP3', '110/tcp', 'imap', 'IMAP', '143/tcp', 'imaps', 'IMAPS', '993/tcp', 'pop3s', 'POP3S', '995/tcp') GROUP BY user_src, recipient ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND recipient IS NOT NULL GROUP BY recipient HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC utm-drilldown- UTM drilldown top Top-Emailemail Senders Traffic SELECT sender, sum(bandwidth) AS bandwidth FROM ### 88 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax senders (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, sender, count(*) AS requests, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND service IN ('smtp', 'SMTP', '25/tcp', '587/tcp', 'smtps', 'SMTPS', '465/tcp') GROUP BY user_src, sender ORDER BY requests DESC)### t WHERE $filter-var-ONLY AND sender IS NOT NULL GROUP BY sender HAVING sum(bandwidth)>0 ORDER BY bandwidth DESC UTM drillutm-drilldowndown top Top-Useruser desDestination tination Traffic SELECT appid, app, dstip, sum(sessions) AS sessions, sum(bandwidth) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, appid, app, dstip, count(*) AS sessions, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND dstip IS NOT NULL AND nullifna(app) IS NOT NULL GROUP BY user_src, appid, app, dstip HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) >0 ORDER BY bandwidth DESC)### t WHERE $filter-var-ONLY GROUP BY appid, app, dstip ORDER BY bandwidth DESC utm-drilldown- UTM drill- Traffic SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) Copyright © 2014 Fortinet, Inc. All Rights Reserved 89 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax down top Top-Users-By- users by Bandwidth bandwidth usage AS dldn_user, count(*) AS SESSION, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(sentbyte, 0)) AS traffic_out, sum(coalesce(rcvdbyte, 0)) AS traffic_in FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY dldn_user HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC UTM drillutm-drilldowndown top Top-Virus virus SELECT virus, sum(totalnum) AS totalnum FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log-traffic WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY user_src, virus ORDER BY totalnum DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, virus, count(*) AS totalnum FROM $log-virus WHERE $filter-exclude-var AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL GROUP BY user_src, virus ORDER BY totalnum DESC)###) t WHERE $filter-var-ONLY GROUP BY virus ORDER BY totalnum DESC utm-drilldownTop-Vulnerability-ByName 90 Traffic UTM drilldown top vulnetscan nerability by name SELECT vuln, sum(totalnum) AS totalnum FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, vuln, count(*) AS totalnum FROM $log WHERE $filter-exclude-var AND action='vuln-detection' AND vuln IS NOT NULL GROUP BY user_src, vuln ORDER BY totalnum DESC)### t Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax WHERE $filter-var-ONLY GROUP BY vuln ORDER BY totalnum DESC Traffic SELECT srcip, srcname FROM (SELECT * FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr (`srcip`)) AS user_src, srcip, srcname FROM $log WHERE $filter-exclude-var AND logid_to_int(logid) NOT IN (4, 7, 14) GROUP BY user_src, srcip, srcname)###) t WHERE $filter-var-ONLY GROUP BY user_src, srcip, srcname) t GROUP BY srcip, srcname UTM top allowed webTraffic sites by bandwidth usage SELECT appid, hostname, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL GROUP BY appid, hostname, catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC UTM top allowed web Traffic sites by request SELECT hostname, catdesc, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', utm-drilldown- UTM drillTraffic-Sumdown traffic mary summary utm-TopAllowed-Websites-By-Bandwidth utm-TopAllowed-WebSites-ByRequest Copyright © 2014 Fortinet, Inc. All Rights Reserved 91 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL AND utmaction!='blocked' GROUP BY hostname, catdesc ORDER BY requests DESC utm-TopAttack-Dest UTM top attack dest attack SELECT dstip, count(*) AS totalnum FROM $log WHERE $filter AND dstip IS NOT NULL GROUP BY dstip ORDER BY totalnum DESC utm-TopUTM top attack Attack-Source attack source SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, count(*) AS totalnum FROM $log WHERE $filter GROUP BY user_src ORDER BY totalnum DESC utm-TopBlocked-WebSites-ByRequest SELECT hostname, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL AND utmaction='blocked' GROUP BY hostname ORDER BY requests DESC UTM top blocked web Traffic sites by request utm-TopUTM top Blocked-Web- blocked web Traffic Users users 92 SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, srcname, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND utmaction='blocked' GROUP BY user_src, devtype, srcname ORDER BY requests DESC Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category UTM top utm-Topvideo streamVideo-Streaming websites Traffic ing-Websitesby bandwidth By-Bandwidth usage utm-Top-Virus utm-TopVirus-User UTM top virus UTM top virus user Copyright © 2014 Fortinet, Inc. All Rights Reserved Query Syntax SELECT appid, hostname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND catdesc IN ('Streaming Media and Download') GROUP BY appid, hostname HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic SELECT virus, (CASE WHEN virus LIKE 'Riskware%' THEN 'Spyware' WHEN virus LIKE 'Adware%' THEN 'Adware' ELSE 'Virus' END) AS malware_type, sum(totalnum) AS totalnum FROM (### (SELECT virus, count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY virus ORDER BY totalnum DESC)### UNION ALL ### (SELECT virus, count(*) AS totalnum FROM $log-virus WHERE $filter AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL GROUP BY virus ORDER BY totalnum DESC)###) t GROUP BY virus, malware_type ORDER BY totalnum DESC Traffic SELECT user_src, sum(totalnum) AS totalnum FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, count(*) AS totalnum FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) 93 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND utmevent IS NOT NULL AND virus IS NOT NULL GROUP BY user_src ORDER BY totalnum DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, count(*) AS totalnum FROM $log-virus WHERE $filter AND (eventtype IS NULL OR logver = 52) AND nullifna(virus) IS NOT NULL GROUP BY user_src ORDER BY totalnum DESC)###) t GROUP BY user_src ORDER BY totalnum DESC UTM top web utm-Top-Webusers by Users-ByTraffic bandwidth Bandwidth usage SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, srcname, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY user_src, devtype, srcname HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC utm-Top-Web- UTM top web Users-Byusers by Traffic Request request SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, srcname, count(*) AS requests FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY user_src, devtype, srcname ORDER BY requests DESC vpn-Authentic- VPN authen- event SELECT f_user, 94 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name ated-Logins Description Log Category ticated logins Query Syntax tunneltype, sum(total) AS total_num, sum(dura) AS duration FROM ### (SELECT t1.f_user AS f_user, t1.tunneltype AS tunneltype, t1.total AS total, t2.dura AS dura FROM ( (SELECT coalesce(nullifna(`xauthuser`), ùser`) AS f_user, tunneltype, count(*) AS total, tunnelid FROM $log WHERE $filter AND subtype='vpn' AND (tunneltype='ipsec' OR tunneltype='ssl-web') AND action='tunnel-up' AND coalesce(nullifna(`xauthuser`), nullifna(ùser`)) IS NOT NULL GROUP BY f_user, tunneltype, tunnelid ORDER BY tunnelid) AS t1 INNER JOIN (SELECT tunnelid, sum(dura_end-dura_beg) AS dura FROM (SELECT coalesce(nullifna(`xauthuser`),ùser`) AS f_user, tunneltype, min(coalesce(duration, 0)) AS dura_beg, max(coalesce(duration,0)) AS dura_end, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype IN ('ipsec', 'ssl-web') AND coalesce(nullifna(`xauthuser`), nullifna(ùser`)) IS NOT NULL AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY f_user, tunneltype, tunnelid ORDER BY tunnelid) tt GROUP BY tunnelid HAVING sum(sent_end-sent_beg+rcvd_ end-rcvd_beg)>0) AS t2 ON t1.tunnelid=t2.tunnelid))### t GROUP BY f_user, Copyright © 2014 Fortinet, Inc. All Rights Reserved 95 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax tunneltype ORDER BY total_num DESC vpn-FailedLogins VPN failed logins event SELECT f_user, tunneltype, sum(total_num) AS total_num FROM ### (SELECT coalesce(nullifna(`xauthuser`), ùser`) AS f_user, tunneltype, count(*) AS total_num FROM $log WHERE $filter AND subtype='vpn' AND (tunneltype='ipsec' OR left(tunneltype, 3)='ssl') AND action IN ('ssl-login-fail', 'ipsec-login-fail') AND coalesce(nullifna(`xauthuser`), nullifna(ùser`)) IS NOT NULL GROUP BY f_user, tunneltype)### t GROUP BY f_user, tunneltype ORDER BY total_num DESC SELECT vpn_name, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### (SELECT vpn_trim(vpntunnel) AS vpn_name, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, vpn-Top-DialUp-IPSECTunnels-ByBandwidth Top dial up IPsec tunnels event by bandwidth usage vpn-Top-DialUp-IPSECUsers-ByBandwidth Top dial up IPsec users event by bandwidth usage 96 max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND nullifna(vpntunnel) IS NOT NULL AND subtype='vpn' AND tunneltype LIKE 'ipsec%' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY vpn_name, tunnelid ORDER BY tunnelid)### t GROUP BY vpn_name HAVING sum(sent_end-sent_beg+rcvd_endrcvd_beg)>0 ORDER BY bandwidth DESC SELECT user_src, remip, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax (SELECT coalesce(nullifna(`xauthuser`), nullifna(ùser`), ipstr (`remip`)) AS user_src, remip, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max (coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ipsec%' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY user_src, remip, tunnelid ORDER BY tunnelid)### t GROUP BY user_src, remip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 ORDER BY bandwidth DESC vpn-Top-Dialup-IPSECUsers-ByBandwidthand-Avail Top dialup IPsec users by bandwidth event usage and avail SELECT user_src, remip, sum(traffic_out) AS traffic_out, sum(traffic_in) AS traffic_in, sum(bandwidth) AS bandwidth, sum(uptime) AS uptime FROM (SELECT user_src, remip, tunnelid, devid, vd, sum(sent_end-sent_beg) AS traffic_out, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(duration_end-duration_beg) AS uptime FROM ### (SELECT tunnelid, coalesce(nullifna(`xauthuser`), nullifna(ùser`), ipstr(`remip`)) AS user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) AS sent_beg, max (coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, Copyright © 2014 Fortinet, Inc. All Rights Reserved 97 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax max(coalesce(rcvdbyte, 0)) AS rcvd_end, min(coalesce(duration, 0)) AS duration_beg, max(coalesce(duration, 0)) AS duration_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunneltype LIKE 'ipsec%' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, remip, devid, vd ORDER BY tunnelid)### t GROUP BY user_src, remip, tunnelid, devid, vd ORDER BY bandwidth DESC) t GROUP BY user_src, remip ORDER BY bandwidth DESC SELECT user_src, sum(dura_end-dura_beg) AS duration, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth FROM ### (SELECT coalesce(nullifna(`xauthuser`), nullifna(ùser`), ipstr (`remip`)) AS user_src, tunnelid, min(coalesce(duration, 0)) AS dura_beg, max (coalesce(duration,0)) AS dura_end, min(coalesce(sentbyte, 0)) AS sent_beg, vpn-Top-DialTop dial up Up-IPSECIPsec users Users-By-Durby duration ation 98 max(coalesce(sentbyte, 0)) AS sent_end, event min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ipsec%' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY user_src, tunnelid ORDER BY tunnelid)### t GROUP BY user_src HAVING sum(sent_end-sent_beg+rcvd_end- Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax rcvd_beg)>0 ORDER BY duration DESC SELECT user_src, tunneltype, sum(dura_end-dura_beg) AS duration, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth FROM ### (SELECT coalesce(nullifna(`xauthuser`), nullifna(ùser`), ipstr (`remip`)) AS user_src, tunneltype, tunnelid, min(coalesce(duration, 0)) AS dura_beg, max (coalesce(duration,0)) AS dura_end, min(coalesce(sentbyte, 0)) AS sent_beg, vpn-Top-DialTop dial up Up-VPNVPN users by event Users-By-Durduration ation vpn-Top-S2SIPSEC-Tunnels-By-Bandwidth-andAvail Top S2S IPsec tunnels by bandwidth event usage and avail Copyright © 2014 Fortinet, Inc. All Rights Reserved max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND (tunneltype LIKE 'ssl%' OR (tunneltype LIKE 'ipsec%' AND NOT (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)))) AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY user_src, tunneltype, tunnelid ORDER BY tunnelid)### t GROUP BY user_src, tunneltype HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg) >0 ORDER BY duration DESC SELECT vpntunnel, tunneltype, sum(traffic_out) AS traffic_out, sum(traffic_in) AS traffic_in, sum(bandwidth) AS bandwidth, sum(uptime) AS uptime FROM (SELECT vpntunnel, tunneltype, tunnelid, devid, vd, sum(sent_end-sent_beg) AS traffic_out, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(duration_end-duration_beg) AS uptime FROM ### (SELECT tunnelid, 99 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax tunneltype, vpntunnel, devid, vd, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max (coalesce(rcvdbyte, 0)) AS rcvd_end, min(coalesce(duration, 0)) AS duration_beg, max(coalesce(duration, 0)) AS duration_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunneltype LIKE 'ipsec%' AND (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND nullifna(ùser`) IS NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, tunneltype, vpntunnel, devid, vd ORDER BY tunnelid)### t GROUP BY vpntunnel, tunneltype, tunnelid, devid, vd ORDER BY bandwidth DESC) t GROUP BY vpntunnel, tunneltype ORDER BY bandwidth DESC vpn-Top-SSLTunnel-UsersBy-Bandwidth-andAvail 100 Top SSL tunnel users by bandwidth event usage and avail SELECT user_src, remote_ip, sum(traffic_out) AS traffic_out, sum(traffic_in) AS traffic_in, sum(bandwidth) AS bandwidth, sum(uptime) AS uptime FROM (SELECT user_src, remip AS remote_ip, tunnelid, devid, vd, sum(sent_end-sent_beg) AS traffic_out, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(duration_end-duration_beg) AS uptime FROM ### (SELECT tunnelid, coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax remip, devid, vd, min(coalesce(sentbyte, 0)) AS sent_ beg, max(coalesce(sentbyte, 0)) AS sent_end, min (coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end, min(coalesce(duration, 0)) AS duration_beg, max(coalesce(duration, 0)) AS duration_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunneltype IN ('ssl-tunnel', 'ssl') AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, remip, devid, vd ORDER BY tunnelid)### t GROUP BY user_src, remote_ip, tunnelid, devid, vd ORDER BY bandwidth DESC) t GROUP BY user_src, remote_ip ORDER BY bandwidth DESC Top SSL vpn-Top-SSLVPN tunnel VPN-Tunnelusers by Users-Bybandwidth Bandwidth usage event SELECT user_src, remote_ip, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, remip AS remote_ip, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce (sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ssl-tunnel' Copyright © 2014 Fortinet, Inc. All Rights Reserved 101 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND action='tunnel-stats' AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL GROUP BY tunnelid, user_src, remip ORDER BY tunnelid)### t GROUP BY user_src, remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg) >0 ORDER BY bandwidth DESC SELECT user_src, remote_ip, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, remip AS remote_ip, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce (sentbyte, 0)) AS sent_end, Top SSL vpn-Top-SSLVPN users by VPN-Usersevent bandwidth By-Bandwidth usage vpn-Top-SSL- Top SSL VPN-UsersVPN users by event By-Duration duration 102 min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ssl%' AND action='tunnel-stats' AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, remip ORDER BY tunnelid)### t GROUP BY user_src, remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg) >0 ORDER BY bandwidth DESC SELECT user_src, tunneltype, sum(dura_end-dura_beg) AS duration, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, tunneltype, min(coalesce(duration, 0)) AS dura_ beg, max(coalesce(duration, 0)) AS dura_end, tunnelid, min (coalesce(sentbyte, 0)) AS sent_beg, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ssl%' AND action='tunnel-stats' AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, tunneltype ORDER BY tunnelid)### t GROUP BY user_src, tunneltype HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg) >0 ORDER BY duration DESC SELECT user_src, remote_ip, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### (SELECT coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, remip AS remote_ip, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce (sentbyte, 0)) AS sent_end, Top SSL vpn-Top-SSLVPN web VPN-Webmode users event Mode-Usersby bandwidth By-Bandwidth usage vpn-Top-SSLWeb-UsersBy-Bandwidth-andAvail Top SSL web users by bandwidth event usage and avail Copyright © 2014 Fortinet, Inc. All Rights Reserved min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype='ssl-web' AND action='tunnel-stats' AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, remip ORDER BY tunnelid)### t GROUP BY user_src, remote_ip HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg) >0 ORDER BY bandwidth DESC SELECT user_src, remote_ip, sum(traffic_out) AS traffic_out, sum(traffic_in) AS traffic_in, sum(bandwidth) AS bandwidth, sum(uptime) AS uptime 103 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax FROM (SELECT user_src, remip AS remote_ip, tunnelid, devid, vd, sum(sent_end-sent_beg) AS traffic_out, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(duration_end-duration_beg) AS uptime FROM ### (SELECT tunnelid, coalesce(nullifna(ùser`), ipstr(`remip`)) AS user_src, remip, devid, vd, min(coalesce(sentbyte, 0)) AS sent_ beg, max(coalesce(sentbyte, 0)) AS sent_end, min (coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end, min(coalesce(duration, 0)) AS duration_beg, max(coalesce(duration, 0)) AS duration_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunneltype='ssl-web' AND coalesce(nullifna(ùser`), ipstr(`remip`)) IS NOT NULL AND tunnelid IS NOT NULL GROUP BY tunnelid, user_src, remip, devid, vd ORDER BY tunnelid)### t GROUP BY user_src, remote_ip, tunnelid, devid, vd HAVING sum(sent_end-sent_beg+rcvd_end-rcvd_beg)>0 ORDER BY bandwidth DESC) t GROUP BY user_src, remote_ip ORDER BY bandwidth DESC vpn-TopStatic-IPSECTunnels-ByBandwidth 104 Top static IPsec tunnels event by bandwidth usage SELECT vpn_name, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS bandwidth, sum(rcvd_end-rcvd_beg) AS traffic_in, sum(sent_end-sent_beg) AS traffic_out FROM ### (SELECT vpn_trim(vpntunnel) AS vpn_name, tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND tunneltype LIKE 'ipsec%' AND (tunnelip IS NULL OR (tunnelip='0.0.0.0' AND coalesce(logver, 0)!=52)) AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY vpn_name, tunnelid ORDER BY tunnelid)### t GROUP BY vpn_name HAVING sum(sent_end-sent_beg+rcvd_endrcvd_beg)>0 ORDER BY bandwidth DESC vpn-TrafficVPN traffic Usage-Trendusage trend VPN event SELECT hodex, sum(coalesce(ssl_bandwidth, 0)) AS ssl_bandwidth, sum(coalesce(ipsec_bandwidth, 0)) AS ipsec_bandwidth FROM ### (SELECT coalesce(t1.hodex, t2.hodex) AS hodex, ssl_bandwidth, ipsec_bandwidth FROM (SELECT hodex, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS ssl_bandwidth FROM (SELECT $flex_timescale AS hodex, tunnelid, devid, vd, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce (rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunnelid IS NOT NULL AND tunneltype LIKE 'ssl%' GROUP BY hodex, tunnelid, devid, vd ORDER BY tunnelid) t_ssl GROUP BY hodex) AS t1 FULL JOIN (SELECT hodex, sum(sent_end-sent_beg+rcvd_end-rcvd_beg) AS ipsec_band- Copyright © 2014 Fortinet, Inc. All Rights Reserved 105 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax width FROM (SELECT $flex_timescale AS hodex, tunnelid, devid, vd, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce (rcvdbyte, 0)) AS rcvd_beg, max(coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' AND action='tunnel-stats' AND tunnelid IS NOT NULL AND tunneltype LIKE 'ipsec%' GROUP BY hodex, tunnelid, devid, vd ORDER BY tunnelid) t_ipsec GROUP BY hodex) AS t2 ON t1.hodex = t2.hodex)### t GROUP BY hodex ORDER BY hodex vpn-UserLogin-history 106 VPN user login history event SELECT hodex, count(*) AS total_num FROM ### (SELECT t1.hodex AS hodex FROM ( (SELECT $flex_timescale AS hodex, tunnelid FROM $log WHERE $filter AND subtype='vpn' AND (tunneltype='ipsec' OR tunneltype='ssl-web') AND action='tunnel-up' AND coalesce(nullifna(`xauthuser`), nullifna(ùser`)) IS NOT NULL GROUP BY hodex, tunnelid ORDER BY hodex DESC) AS t1 INNER JOIN (SELECT tunnelid FROM (SELECT tunnelid, min(coalesce(sentbyte, 0)) AS sent_beg, max(coalesce(sentbyte, 0)) AS sent_end, min(coalesce(rcvdbyte, 0)) AS rcvd_beg, max (coalesce(rcvdbyte, 0)) AS rcvd_end FROM $log WHERE $filter AND subtype='vpn' Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND tunneltype IN ('ipsec', 'ssl-web') AND action='tunnel-stats' AND tunnelid IS NOT NULL GROUP BY tunnelid ORDER BY tunnelid) tt GROUP BY tunnelid HAVING sum(sent_end-sent_beg+rcvd_ end-rcvd_beg)>0) AS t2 ON t1.tunnelid=t2.tunnelid))### t GROUP BY hodex ORDER BY total_num DESC web-Detailed- Web detailed Websitewebsite Traffic Browsing-Log browsing log Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT FROM_dtime(dtime) AS TIMESTAMP, catdesc, hostname AS website, action AS status, sum(bandwidth) AS bandwidth FROM (### (SELECT dtime, catdesc, hostname, action, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY dtime, catdesc, hostname, action ORDER BY dtime DESC)### UNION ALL ### (SELECT dtime, catdesc, hostname, action, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY dtime, catdesc, hostname, action ORDER BY dtime DESC)###) t GROUP BY dtime, catdesc, website, 107 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax status ORDER BY dtime DESC webfilter-Categories-ByBandwidth Webfilter categories by webfilter bandwidth usage webfilter-Top- Webfilter top Allowed-Web- allowed web webfilter Categories categories 108 SELECT catdesc, sum(bandwidth) AS bandwidth FROM (### (SELECT catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND catdesc IS NOT NULL GROUP BY catdesc ORDER BY bandwidth DESC)### UNION ALL ### (SELECT catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND catdesc IS NOT NULL GROUP BY catdesc ORDER BY bandwidth DESC)###) t GROUP BY catdesc ORDER BY bandwidth DESC SELECT catdesc, sum(requests) AS requests FROM (### (SELECT catdesc, count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND catdesc IS NOT NULL AND utmaction!='blocked' GROUP BY catdesc ORDER BY requests DESC)### UNION ALL ### (SELECT catdesc, count(*) AS requests FROM $log-webfilter WHERE $filter Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax AND (eventtype IS NULL OR logver = 52) AND catdesc IS NOT NULL AND action!='blocked' GROUP BY catdesc ORDER BY requests DESC)###) t GROUP BY catdesc ORDER BY requests DESC SELECT DOMAIN, string_agg(DISTINCT catdesc, ', ') AS agg_catdesc, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM (### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum (coalesce(rcvdbyte, 0)) AS traffic_in, webfilter-TopAllowed-WebSites-by-Bandwidth Webfilter top allowed web webfilter sites by bandwidth usage sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND utmaction!='blocked' GROUP BY DOMAIN, catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT coalesce(nullifna(hostname), ipstr(`srcip`)) AS DOMAIN, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum (coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND action!='blocked' GROUP BY DOMAIN, catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)###) t GROUP BY DOMAIN, catdesc ORDER BY bandwidth DESC Copyright © 2014 Fortinet, Inc. All Rights Reserved 109 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name webfilter-TopAllowed-WebSites-ByRequests Description Log Category Query Syntax Webfilter top allowed web webfilter sites by requests SELECT DOMAIN, string_agg(DISTINCT catdesc, ', ') AS agg_catdesc, sum(requests) AS requests FROM (### (SELECT hostname AS DOMAIN, catdesc, count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL AND utmaction!='blocked' GROUP BY DOMAIN, catdesc ORDER BY requests DESC)### UNION ALL ### (SELECT hostname AS DOMAIN, catdesc, count(*) AS requests FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND hostname IS NOT NULL AND catdesc IS NOT NULL AND action!='blocked' GROUP BY DOMAIN, catdesc ORDER BY requests DESC)###) t GROUP BY DOMAIN ORDER BY requests DESC webfilter-Top- Webfilter top Blocked-Web- blocked web webfilter Categories categories 110 SELECT catdesc, sum(requests) AS requests FROM (### (SELECT catdesc, count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND catdesc IS NOT NULL AND utmaction='blocked' GROUP BY catdesc ORDER BY requests DESC)### UNION ALL ### (SELECT catdesc, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax count(*) AS requests FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND catdesc IS NOT NULL AND action='blocked' GROUP BY catdesc ORDER BY requests DESC)###) t GROUP BY catdesc ORDER BY requests DESC webfilter-TopBlocked-WebSites-ByRequests Webfilter top blocked web webfilter sites by requests SELECT DOMAIN, catdesc, sum(requests) AS requests FROM (### (SELECT hostname AS DOMAIN, catdesc, count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND hostname IS NOT NULL AND utmaction='blocked' GROUP BY DOMAIN, catdesc ORDER BY requests DESC)### UNION ALL ### (SELECT hostname AS DOMAIN, catdesc, count(*) AS requests FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND hostname IS NOT NULL AND catdesc IS NOT NULL AND action='blocked' GROUP BY DOMAIN, catdesc ORDER BY requests DESC)###) t GROUP BY DOMAIN, catdesc ORDER BY requests DESC webfilter-Top- Webfilter top Searchsearch Phrases phrases webfilter SELECT keyword, count(*) AS requests FROM $log WHERE $filter AND keyword IS NOT NULL GROUP BY keyword ORDER BY requests DESC webfilter-Top- Webfilter top webfilter SELECT DOMAIN, Copyright © 2014 Fortinet, Inc. All Rights Reserved 111 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM (### (SELECT coalesce(nullifna(root_domain(hostname)), 'other') AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, video streamVideo-Streaming websites ing-Websitesby bandwidth By-Bandwidth usage sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND catdesc IN ('Streaming Media and Download') GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT coalesce(nullifna(root_domain(hostname)), 'other') AS DOMAIN, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND catdesc IN ('Streaming Media and Download') GROUP BY DOMAIN HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)###) t GROUP BY DOMAIN ORDER BY bandwidth DESC webfilter-TopWeb-UsersBy-AllowedRequests 112 Webfilter top web users by webfilter allowed requests SELECT user_src, devtype, hostname_mac, sum(requests) AS requests FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac, count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) IS NOT NULL AND utmaction!='blocked' GROUP BY user_src, devtype, hostname_mac ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, '0' AS devtype, ipstr(`srcip`) AS hostname_mac, count(*) AS requests FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND coalesce(nullifna(ùser`), ipstr(`srcip`)) IS NOT NULL AND action!='blocked' GROUP BY user_src, devtype, hostname_mac ORDER BY requests DESC)###) t GROUP BY user_src, devtype, hostname_mac ORDER BY requests DESC Webfilter top webfilter-Topweb users by Web-Userswebfilter bandwidth By-Bandwidth usage SELECT user_src, devtype, hostname_mac, sum(bandwidth) AS bandwidth, sum(traffic_in) AS traffic_in, sum(traffic_out) AS traffic_out FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', Copyright © 2014 Fortinet, Inc. All Rights Reserved 113 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'command-block', 'script-filter') GROUP BY user_src, devtype, hostname_mac HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, '0' AS devtype, ipstr(`srcip`) AS hostname_mac, sum(coalesce(sentbyte, 0) +coalesce(rcvdbyte, 0)) AS bandwidth, sum(coalesce(rcvdbyte, 0)) AS traffic_in, sum(coalesce(sentbyte, 0)) AS traffic_out FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) GROUP BY user_src, devtype, hostname_mac HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC)###) t GROUP BY user_src, devtype, hostname_mac ORDER BY bandwidth DESC SELECT user_src, devtype, hostname_mac, sum(requests) AS requests FROM (### (SELECT coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, devtype, coalesce(nullifna(`srcname`), `srcmac`) AS hostname_mac, webfilter-TopWeb-UsersBy-BlockedRequests 114 Webfilter top web users by webfilter blocked requests count(*) AS requests FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) IS NOT NULL AND utmaction='blocked' GROUP BY user_src, devtype, hostname_mac Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax ORDER BY requests DESC)### UNION ALL ### (SELECT coalesce(nullifna(ùser`), ipstr(`srcip`)) AS user_src, '0' AS devtype, ipstr(`srcip`) AS hostname_mac, count(*) AS requests FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND coalesce(nullifna(ùser`), ipstr(`srcip`)) IS NOT NULL AND action='blocked' GROUP BY user_src, devtype, hostname_mac ORDER BY requests DESC)###) t GROUP BY user_src, devtype, hostname_mac ORDER BY requests DESC webfilter-WebActivity-Summary-ByRequests Webfilter web activity sumwebfilter mary by requests Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT hodex, sum(coalesce(allowed_request, 0)) AS allowed_request, sum(coalesce(blocked_request, 0)) AS blocked_request FROM (### (SELECT coalesce(t1.hodex, t2.hodex) AS hodex, allowed_request, blocked_request FROM (SELECT $flex_timescale AS hodex, count(*) AS allowed_request FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND utmaction!='blocked' GROUP BY hodex ORDER BY hodex) AS t1 FULL JOIN (SELECT $flex_timescale AS hodex, count(*) AS blocked_request FROM $log-traffic WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') AND utmaction='blocked' GROUP BY hodex ORDER BY hodex) AS t2 ON t1.hodex = t2.hodex)### 115 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax UNION ALL ### (SELECT coalesce(t1.hodex, t2.hodex) AS hodex, allowed_request, blocked_request FROM (SELECT $flex_timescale AS hodex, count(*) AS allowed_request FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND action!='blocked' GROUP BY hodex ORDER BY hodex) AS t1 FULL JOIN (SELECT $flex_timescale AS hodex, count(*) AS blocked_request FROM $log-webfilter WHERE $filter AND (eventtype IS NULL OR logver = 52) AND action='blocked' GROUP BY hodex ORDER BY hodex) AS t2 ON t1.hodex = t2.hodex)###) t GROUP BY hodex ORDER BY hodex web-HourlyCategory-andWebsite-HitsAction 116 Web hourly category and Traffic website hits action SELECT hod, website, sum(hits) AS hits FROM (### (SELECT $hour_of_day AS hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') AS website, count(*) AS hits FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY hod, website ORDER BY hod, hits DESC)### UNION ALL ### (SELECT $hour_of_day AS hod, (hostname || ' (' || coalesce(`catdesc`, 'Unknown') || ')') AS website , count(*) AS hits FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY hod, website Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax ORDER BY hod, hits DESC)###) t GROUP BY hod, website ORDER BY hod, hits DESC Web top catweb-Top-Category and egory-andwebsites by Websites-bybandwidth Bandwidth usage web-Top-Category-andWebsites-bySession Web top category and websites by session Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic SELECT website, catdesc, sum(bandwidth) AS bandwidth FROM (### (SELECT hostname AS website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY website, catdesc ORDER BY bandwidth DESC)### UNION ALL ### (SELECT hostname AS website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY website, catdesc ORDER BY bandwidth DESC)###) t GROUP BY website, catdesc ORDER BY bandwidth DESC Traffic SELECT website, catdesc, sum(hits) AS hits FROM (### (SELECT hostname AS website, catdesc, count(*) AS hits FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 117 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY website, catdesc ORDER BY hits DESC)### UNION ALL ### (SELECT hostname AS website, catdesc, count(*) AS hits FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY website, catdesc ORDER BY hits DESC)###) t GROUP BY website, catdesc ORDER BY hits DESC web-TopUser-VistedWebsites-byBandwidth 118 Web top user visted webTraffic sites by bandwidth usage SELECT website, catdesc, sum(bandwidth) AS bandwidth FROM (### (SELECT hostname AS website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY hostname, catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC)### UNION ALL ### (SELECT hostname AS website, catdesc, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY hostname, catdesc ORDER BY bandwidth DESC)###) t Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax GROUP BY website, catdesc ORDER BY bandwidth DESC web-TopUser-VistedWebsites-bySession Web top user visted webTraffic sites by session Web top webweb-Top-Website sessions site-SessionsTraffic by bandwidth by-Bandwidth usage Copyright © 2014 Fortinet, Inc. All Rights Reserved SELECT website, catdesc, sum(sessions) AS sessions FROM (### (SELECT hostname AS website, catdesc, count(*) AS sessions FROM $log-traffic WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 14) AND utmevent IN ('webfilter', 'banned-word', 'web-content', 'command-block', 'script-filter') GROUP BY hostname, catdesc ORDER BY sessions DESC)### UNION ALL ### (SELECT hostname AS website, catdesc, count(*) AS sessions FROM $log-webfilter WHERE $filter AND hostname IS NOT NULL AND (eventtype IS NULL OR logver=52) GROUP BY hostname, catdesc ORDER BY sessions DESC)###) t GROUP BY website, catdesc ORDER BY sessions DESC SELECT FROM_dtime(dtime) AS TIMESTAMP, user_src, website, catdesc, cast(sum(dura)/60 AS decimal(18, 2)) AS dura, sum(bandwidth) AS bandwidth FROM ###( SELECT dtime, coalesce(nullifna(ùser`), nullifna(ùnauthuser`), ipstr(`srcip`)) AS user_src, hostname AS website, catdesc, sum(coalesce(duration, 0)) AS dura, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND hostname IS NOT NULL AND logid_to_int(logid) NOT IN (4, 7, 119 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax 14) AND action IN ('accept', 'close', 'timeout') GROUP BY dtime, user_src, website, catdesc HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))> 0 ORDER BY bandwidth DESC)### t GROUP BY dtime, user_src, website, catdesc ORDER BY bandwidth DESC wifi-NumWiFi num disTraffic Distinct-Client tinct client SELECT count(DISTINCT srcmac) AS totalnum FROM ### (SELECT srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) AS subtotal FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND srcmac IS NOT NULL GROUP BY srcintf, srcssid, osname, osversion, devtype, srcmac ORDER BY subtotal DESC)### t wifi-OverallTraffic SELECT sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) WiFi overall Traffic Traffic Top access wifi-Top-APpoint by band- Traffic By-Bandwidth width usage 120 SELECT srcintf, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) GROUP BY srcintf HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvd- Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax byte, 0))>0 ORDER BY bandwidth DESC wifi-Top-APBy-Client Top access point by client Traffic SELECT srcintf, count(DISTINCT srcmac) AS totalnum FROM ### (SELECT srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) AS subtotal FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND srcmac IS NOT NULL GROUP BY srcintf, srcssid, osname, osversion, devtype, srcmac ORDER BY subtotal DESC)### t GROUP BY srcintf ORDER BY totalnum DESC Top WiFi wifi-Top-App- applications Traffic By-Bandwidth by bandwidth usage SELECT appid, app, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND nullifna(app) IS NOT NULL GROUP BY appid, app HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC wifi-Top-Client-By-Bandwidth SELECT (coalesce(srcname, srcmac, 'unknown') || ' (' || coalesce(devtype, 'unknown') || ', ' || coalesce(osname, '') || (CASE WHEN osversion IS NULL THEN '' ELSE ' ' || osversion END) || ')') AS client, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) GROUP BY client HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC Top WiFi client by bandwidth usage Copyright © 2014 Fortinet, Inc. All Rights Reserved Traffic 121 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name wifi-TopDevice-ByBandwidth Description Log Category Query Syntax Top WiFi device by bandwidth usage SELECT devtype, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND devtype IS NOT NULL GROUP BY devtype HAVING sum(coalesce(sentbyte, 0)+coalesce (rcvdbyte, 0))>0 ORDER BY bandwidth DESC Traffic wifi-TopTop WiFi Device-By-Cli- device by cli- Traffic ent ent SELECT devtype, count(DISTINCT srcmac) AS totalnum FROM ### (SELECT srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) AS subtotal FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND srcmac IS NOT NULL GROUP BY srcintf, srcssid, osname, osversion, devtype, srcmac ORDER BY subtotal DESC)### t WHERE devtype IS NOT NULL GROUP BY devtype ORDER BY totalnum DESC Top WiFi os wifi-Top-OSby bandwidth Traffic By-Bandwidth usage SELECT (coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')) AS os, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) GROUP BY os HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC wifi-Top-OS- Top WiFi os Traffic By-WiFi-Client by WiFi client SELECT (coalesce(osname, 'unknown') || ' ' || coalesce(osversion, '')) AS os, count(DISTINCT srcmac) AS totalnum FROM ### 122 Copyright © 2014 Fortinet, Inc. Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax (SELECT srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) AS subtotal FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND srcmac IS NOT NULL GROUP BY srcintf, srcssid, osname, osversion, devtype, srcmac ORDER BY subtotal DESC)### t GROUP BY os ORDER BY totalnum DESC Top SSIDs by wifi-Top-SSIDbandwidth Traffic By-Bandwidth usage SELECT srcssid, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) AS bandwidth FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND srcssid IS NOT NULL GROUP BY srcssid HAVING sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0))>0 ORDER BY bandwidth DESC wifi-Top-SSID- Top SSIDs by Traffic By-Client client SELECT srcssid, count(DISTINCT srcmac) AS totalnum FROM ### (SELECT srcintf, srcssid, osname, osversion, devtype, srcmac, count(*) AS subtotal FROM $log WHERE $filter AND logid_to_int(logid) NOT IN (4, 7, 14) AND (srcssid IS NOT NULL OR dstssid IS NOT NULL) AND srcmac IS NOT NULL GROUP BY srcintf, srcssid, osname, osversion, devtype, Copyright © 2014 Fortinet, Inc. All Rights Reserved 123 Dataset Reference List FortiAnalyzer v5.0.8 Datasets Dataset Name Description Log Category Query Syntax srcmac ORDER BY subtotal DESC)### t WHERE srcssid IS NOT NULL GROUP BY srcssid ORDER BY totalnum DESC 124 Copyright © 2014 Fortinet, Inc. Macro Reference List FortiAnalyzer v5.0.8 Datasets Macro Reference List The following table lists the available predefined macros that can be used in a report layout to display the log data as text (XML format) dynamically. Macro Name Description Dataset Used Log Category Application Category with Highest Session Count Application category with the highest session count App-Sessions-By-Category Application with Highest Bandwidth Application with the highest bandwidth usage Top-App-By-Bandwidth Traffic Traffic Application with Highest Session Applications with the highest sesCount sion count Top-App-By-Sessions Attack with Highest Session Count Attack with highest session count Utm-Top-Attack-Source Attack Botnet with Highest Session Count Botnet with the highest session count Detected-Botnet Traffic Destination with Highest Bandwidth Destination with the highest bandwidth usage Top-Destinations-ByBandwidth Traffic Destination with Highest Session Destination with the highest sesCount sion count Top-Destinations-BySessions Traffic Highest Bandwidth Consumed (Application) Category Highest bandwidth consumed by application category App-Risk-App-UsageBy-Category Traffic Highest Bandwidth Consumed (Application) Highest bandwidth consumed by application Top-App-By-Bandwidth Traffic Highest Bandwidth Consumed (Destination) Highest bandwidth consumed by destination Top-Destinations-ByBandwidth Highest Bandwidth Consumed (P2P Application) Highest bandwidth consumed by P2P application Top-P2P-App-By-BandTraffic width Highest Bandwidth Consumed (Source) Highest bandwidth consumed by source Top-Users-By-Bandwidth Highest Bandwidth Consumed () Web Category) Highest bandwidth consumed by website category Top-Web-Category-byWeb Filter Bandwidth Highest Bandwidth Consumed (Website) Highest bandwidth consumed by website Top-Web-Sites-byBandwidth Web Filter Highest Risk Application with Highest Bandwidth Highest risk application with the highest bandwidth usage High-Risk-ApplicationBy-Bandwidth Traffic Highest Risk Application with Highest Session Count Highest risk application with the highest session count High-Risk-ApplicationBy-Sessions Traffic Highest Session Count by Applic- Highest session count by application Category ation category App-Sessions-By-Category Traffic Highest Session Count by Applic- Highest session count by application ation Top-App-By-Sessions Traffic Highest Session Count by Attack Utm-Top-Attack-Source Attack Highest session count by attack Traffic Traffic Traffic Highest Session Count by Botnet Highest session count by botnet Detected-Botnet Traffic Highest Session Count by Destin- Highest session count by desation tination Top-Destinations-BySessions Traffic Highest Session Count by Threat-Attacks-By- Attack Copyright © 2014 Fortinet, Inc. All Rights Reserved Highest session count by highest 125 Macro Reference List FortiAnalyzer v5.0.8 Datasets Macro Name Description Dataset Used Highest Severity Attack severity attack Severity Highest Session Count by P2P Application Highest session count by P2P application Top-P2P-App-By-Sessions Traffic Highest Session Count by Source Highest session count by source Top-User-Source-BySessions Traffic Highest Session Count by Virus Highest session count by virus Utm-Top-Virus Traffic Highest Session Count by Web Category Highest session count by website category Top-Web-Category-byWeb Filter Sessions Highest Session Count by Website Highest session count by website Top-Web-Sites-by-SesWeb Filter sions Highest Severity Attack with Highest Session Count Highest severity attack with the highest session count Threat-Attacks-BySeverity P2P Application with Highest Bandwidth P2P applications with the highest bandwidth usage Top-P2P-App-By-BandTraffic width P2P Application with Highest Ses- P2P applications with the highest sion Count session count Log Category Attack Top-P2P-App-By-Sessions Traffic Source with Highest Bandwidth Source with the highest bandwidth usage Top-Users-By-Bandwidth Traffic Source with Highest Session Count Source with the highest session count Top-User-Source-BySessions Traffic Total Number of Attacks Total number of attacks detected Total-Attack-Source Attack Total Number of Botnet Events Total number of botnet events Total-Number-of-Botnet-Events Traffic Total Number of Viruses Total number of viruses detected Total-Number-ofViruses Traffic User Details User details of traffic Traffic-User-Detail Traffic Virus with Highest Session Count Virus with the highest session count Utm-Top-Virus Traffic Web Category with Highest Band- Web filtering category with the width highest bandwidth usage Top-Web-Category-byWeb Filter Bandwidth Web Category with Highest Session Count Web filtering category with the highest session count Top-Web-Category-byWeb Filter Sessions Website with Highest Bandwidth Website with the highest bandwidth Top-Web-Sites-byusage Bandwidth Website with Highest Session Count Website with the highest session count 126 Web Filter Top-Web-Sites-by-SesWeb Filter sions Copyright © 2014 Fortinet, Inc.

FortiAnalyzer Dataset Reference Guide (1)

Related documents

Products

Support

FortiAnalyzer Dataset Reference Guide (1)

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib