I am in Splunk Cloud 9.4 and ES 7.3.   I do not see any .conf file.  However I can use the UI to see field. For the fortinet-fortigate TA there was no tag web linked to eventtype=fortigate_utm_webfilter.  I change it.  Conversely if I look at eventtype=fortigate_utm_webfilter there is only two tags: traffic, communication.   But in practice, not in splunk context,  the logs for webfilter and appctrl  and from same session and looking at them separately does not give the whole picture for threat hunting. As a result of ingesting these logs separately we have lot of logs that have only a few of the fields for the data model web (dataset Web.Web).  I was told I can solve that by doing a join prior to the correlation search used to create the dashboards for web intelligence.  Not sure how that works.       ... View more

OK.  Thanks for confirming that this is not done by default.  My is sourcetype=fortigate_utm.  I added tag web to eventtype=fortigate_utm_webfilter.  And created a new eventtype from eventtype=fortigate_utm_app-ctrl because not all app-ctrl are Dataset Web.Web logs.  This new eventtype is eventtype=fortigate_utm_app-ctrl_web  it only has a subset of the app-ctrl category.  Logically I would use sessionid to create logical log from both webfilter and app-ctrl and be able to alias all the fields of the logical log to the CIM fields. For Fortinet TA app and sourcetype=fortigate_utm  I created the following calculated  field  url_length, transport, http_referrer_domain, http_user_agent_lenght, http_method.  I also created new aliases: vendor_url AS uri, action AS web_action and service AS app_protocol After I check the dashboard under Security Intelligence>Web Intelligence> new domain analysis was still empty.  I found out to change the alias for  "dest" from domain.  Therefore change the alias for sourcetype.fortigate_utm for dest.   Does this seems like the right approach.  Is there other guidance on this?  ... View more