Fortinet black logo

Administration Guide

Predefined event handlers

FortiAnalyzer includes many predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

The following are a small sample of predefined event handlers. To see all predefined event handlers, go to Event Manager > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Default-High-Risk-App-Detection

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To critical

Filter 2:

  • Event Severity: High
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To critical

Filter 3:

  • Event Severity: Low
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To high

Filter 4:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To high

Default - Sandbox-Detection

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious

Default-Compromised Host-Detection-by IOC

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

IPS - Critical Severity

Enabled by default

  • Event Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

UTM Antivirus Event

Enabled by default

  • Event Severity: High
  • Log Type: Antivirus
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM Web Filter Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs

FortiAnalyzer includes many predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

The following are a small sample of predefined event handlers. To see all predefined event handlers, go to Event Manager > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Default-High-Risk-App-Detection

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To critical

Filter 2:

  • Event Severity: High
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To critical

Filter 3:

  • Event Severity: Low
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To high

Filter 4:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To high

Default - Sandbox-Detection

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious

Default-Compromised Host-Detection-by IOC

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

IPS - Critical Severity

Enabled by default

  • Event Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

UTM Antivirus Event

Enabled by default

  • Event Severity: High
  • Log Type: Antivirus
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM Web Filter Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs