Fortinet black logo

Administration Guide

Predefined event handlers

Predefined event handlers

FortiAnalyzer includes many predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

The following are a small sample of predefined event handlers. To see all predefined event handlers, go to Event Manager > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Default-High-Risk-App-Detection

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To critical

Filter 2:

  • Event Severity: High
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To critical

Filter 3:

  • Event Severity: Low
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To high

Filter 4:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To high

Default - Sandbox-Detection

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious

Default-Compromised Host-Detection-by IOC

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

IPS - Critical Severity

Enabled by default

  • Event Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

UTM Antivirus Event

Enabled by default

  • Event Severity: High
  • Log Type: Antivirus
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM Web Filter Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs

Predefined event handlers

FortiAnalyzer includes many predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

The following are a small sample of predefined event handlers. To see all predefined event handlers, go to Event Manager > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Default-High-Risk-App-Detection

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To critical

Filter 2:

  • Event Severity: High
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To critical

Filter 3:

  • Event Severity: Low
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Equal To Block
    • Application Risk Equal To high

Filter 4:

  • Event Severity: Medium
  • Log Type: Application Control
  • Group by: Source Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Action Not Equal To Block
    • Application Risk Equal To high

Default - Sandbox-Detection

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious

Default-Compromised Host-Detection-by IOC

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

IPS - Critical Severity

Enabled by default

  • Event Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

UTM Antivirus Event

Enabled by default

  • Event Severity: High
  • Log Type: Antivirus
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM Web Filter Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs