Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzer to choose is selected, the event status for UTM events is applied based on the following:

Event status

Description

Unhandled

The security event risk is not mitigated or contained, so it is considered open.

Example: an IPS/AV log with action=pass will have the event status Unhandled.

Botnet and IoC events are also considered Unhandled.

Contained

The risk source is isolated.

Example: an AV log with action=quarantine will have the event status Contained.

Mitigated

The security risk is mitigated by being blocked or dropped.

Example: an IPS/AV log with action=block/drop will have the event status Mitigated.

(Blank) Other scenarios.

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzer to choose is selected, the event status for UTM events is applied based on the following:

Event status

Description

Unhandled

The security event risk is not mitigated or contained, so it is considered open.

Example: an IPS/AV log with action=pass will have the event status Unhandled.

Botnet and IoC events are also considered Unhandled.

Contained

The risk source is isolated.

Example: an AV log with action=quarantine will have the event status Contained.

Mitigated

The security risk is mitigated by being blocked or dropped.

Example: an IPS/AV log with action=block/drop will have the event status Mitigated.

(Blank) Other scenarios.