Intelligent and Customizable Event Filtering
FortiAnalyzer 6.2 introduces new flexibility to the Incidents & Events module by allowing event handlers to tag events with one or more user-defined tags. These tags are then used to group events into different views, visible in the left navigation pane of the Incidents & Events. Default views can be hidden, disabled, or copied and reassigned to another view category.
The three new Event Monitor categories with sub views include:
- By Endpoint: Provides security event views from an endpoint perspective.
- By Threat: Provides security event views from a threat perspective.
- System Events: Provides event views which cover device system events.
In order to trigger events, the corresponding default event handlers must be enabled. Refer to the chart below for details on which default event handlers support each view.
View |
Corresponding default event handler |
---|---|
Compromised Host / C&C Call Back |
Default-Botnet-Communication-Detection-By-Endpoint/Threat Default-Compromised Host-Detection-IOC-By-Endpoint/Threat |
High Risk App Usage | Default-Risky-App-Detection-By-Endpoint/Threat |
Malicious Domain/URL Access | Default-Risky-Destination-Detection-By-Endpoint/Threat |
Malware Activity |
Default-Sandbox-Detections-By-Endpoint/Threat Default-Malicious-File-Detection-By-Endpoint/Threat |
Ongoing Intrusion | Default-Malicious-Code-Detection-By-Endpoint/Threat |
Sandbox Detection | Default-Sandbox-Detections-By-Endpoint/Threat |
FortiGate |
Default FOS System Events |
Local Device |
Local Device Event |
View categorization
- Tags determine which events are visible from each view. Tags are defined by the corresponding event handler(s).
- Example of view categorization based on event tags:
- By Endpoint > All Security Events covers all tags associated with By Endpoint views.
-
By Endpoint > Malicious Domain/URL Access includes events with the tags Risky, BY_Endpoint and URL or Domain.
These tags are set by the event handler Default-Risky-Destination-Detection-By-Endpoint. - By Threat > All Security Events covers all tags associated with By Threat views.
-
By Threat > Malware Activity includes events with the tags Malware and By_Threat.
These tags are set by the event handlers Default-Sandbox-Detections-By-Threat and Default-Malicious-File-Detection-By-Threat. - System Events > All covers all tags associated with System Events views.
-
System Events > FortiGate includes events with the tag FortiOS under System.
These tags are set by the event handler Default FOS System Events. The FortiGate view is only shown in root or Fabric ADOMs. -
System Events > Local Device includes events with the tag Local under System.
These tags are set by the event handler Local Device Event. The Local Device view is only shown in a root ADOM.
- When a security event log triggers an event with an enabled event handler, it will be visible from the different views.
Example: By Endpoint > Malware Activity shows malware activity under each endpoint, while By Threat > Malware Activity shows endpoints under each entry of malware activity.
Manage default views
To hide default views:
- Go to Incidents & Events.
- Right-click the view you want to hide.
- Select Hide from the context menu.
To disable or enable default views:
- Go to Incidents & Events.
- Select the gear icon on the bottom right-side of the navigation tree to access the Default Views settings.
- Choose which views are displayed by adding or removing a checkmark.
- Select Save.
To create and relocate custom views:
- Go to Incidents & Events.
- Select the view you want to copy.
- Select the custom view icon in the top-right corner.
- Enter a name for the custom view and assign it to one of the following categories:
- By Endpoint
- By Threat
- System Events
- Custom View
- Select OK.