Fortinet black logo

New Features

Intelligent and Customizable Event Filtering

Copy Link
Copy Doc ID bc40d227-4cc1-11e9-94bf-00505692583a:618093
Download PDF

Intelligent and Customizable Event Filtering

FortiAnalyzer 6.2 introduces new flexibility to the Incidents & Events module by allowing event handlers to tag events with one or more user-defined tags. These tags are then used to group events into different views, visible in the left navigation pane of the Incidents & Events. Default views can be hidden, disabled, or copied and reassigned to another view category.

The three new Event Monitor categories with sub views include:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective.
  • System Events: Provides event views which cover device system events.

In order to trigger events, the corresponding default event handlers must be enabled. Refer to the chart below for details on which default event handlers support each view.

View

Corresponding default event handler

Compromised Host / C&C Call Back

Default-Botnet-Communication-Detection-By-Endpoint/Threat

Default-Compromised Host-Detection-IOC-By-Endpoint/Threat

High Risk App Usage Default-Risky-App-Detection-By-Endpoint/Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint/Threat
Malware Activity

Default-Sandbox-Detections-By-Endpoint/Threat

Default-Malicious-File-Detection-By-Endpoint/Threat

Ongoing Intrusion Default-Malicious-Code-Detection-By-Endpoint/Threat
Sandbox Detection Default-Sandbox-Detections-By-Endpoint/Threat

FortiGate

Default FOS System Events

Local Device

Local Device Event

View categorization

  • Tags determine which events are visible from each view. Tags are defined by the corresponding event handler(s).

  • Example of view categorization based on event tags:
    • By Endpoint > All Security Events covers all tags associated with By Endpoint views.

    • By Endpoint > Malicious Domain/URL Access includes events with the tags Risky, BY_Endpoint and URL or Domain.
      These tags are set by the event handler Default-Risky-Destination-Detection-By-Endpoint.

    • By Threat > All Security Events covers all tags associated with By Threat views.

    • By Threat > Malware Activity includes events with the tags Malware and By_Threat.
      These tags are set by the event handlers Default-Sandbox-Detections-By-Threat and Default-Malicious-File-Detection-By-Threat.

    • System Events > All covers all tags associated with System Events views.

    • System Events > FortiGate includes events with the tag FortiOS under System.
      These tags are set by the event handler Default FOS System Events. The FortiGate view is only shown in root or Fabric ADOMs.

    • System Events > Local Device includes events with the tag Local under System.
      These tags are set by the event handler Local Device Event. The Local Device view is only shown in a root ADOM.

  • When a security event log triggers an event with an enabled event handler, it will be visible from the different views.
    Example: By Endpoint > Malware Activity shows malware activity under each endpoint, while By Threat > Malware Activity shows endpoints under each entry of malware activity.

Manage default views

To hide default views:
  1. Go to Incidents & Events.
  2. Right-click the view you want to hide.
  3. Select Hide from the context menu.

To disable or enable default views:
  1. Go to Incidents & Events.
  2. Select the gear icon on the bottom right-side of the navigation tree to access the Default Views settings.
  3. Choose which views are displayed by adding or removing a checkmark.
  4. Select Save.
To create and relocate custom views:
  1. Go to Incidents & Events.
  2. Select the view you want to copy.
  3. Select the custom view icon in the top-right corner.
  4. Enter a name for the custom view and assign it to one of the following categories:
    • By Endpoint
    • By Threat
    • System Events
    • Custom View

  5. Select OK.

Intelligent and Customizable Event Filtering

FortiAnalyzer 6.2 introduces new flexibility to the Incidents & Events module by allowing event handlers to tag events with one or more user-defined tags. These tags are then used to group events into different views, visible in the left navigation pane of the Incidents & Events. Default views can be hidden, disabled, or copied and reassigned to another view category.

The three new Event Monitor categories with sub views include:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective.
  • System Events: Provides event views which cover device system events.

In order to trigger events, the corresponding default event handlers must be enabled. Refer to the chart below for details on which default event handlers support each view.

View

Corresponding default event handler

Compromised Host / C&C Call Back

Default-Botnet-Communication-Detection-By-Endpoint/Threat

Default-Compromised Host-Detection-IOC-By-Endpoint/Threat

High Risk App Usage Default-Risky-App-Detection-By-Endpoint/Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint/Threat
Malware Activity

Default-Sandbox-Detections-By-Endpoint/Threat

Default-Malicious-File-Detection-By-Endpoint/Threat

Ongoing Intrusion Default-Malicious-Code-Detection-By-Endpoint/Threat
Sandbox Detection Default-Sandbox-Detections-By-Endpoint/Threat

FortiGate

Default FOS System Events

Local Device

Local Device Event

View categorization

  • Tags determine which events are visible from each view. Tags are defined by the corresponding event handler(s).

  • Example of view categorization based on event tags:
    • By Endpoint > All Security Events covers all tags associated with By Endpoint views.

    • By Endpoint > Malicious Domain/URL Access includes events with the tags Risky, BY_Endpoint and URL or Domain.
      These tags are set by the event handler Default-Risky-Destination-Detection-By-Endpoint.

    • By Threat > All Security Events covers all tags associated with By Threat views.

    • By Threat > Malware Activity includes events with the tags Malware and By_Threat.
      These tags are set by the event handlers Default-Sandbox-Detections-By-Threat and Default-Malicious-File-Detection-By-Threat.

    • System Events > All covers all tags associated with System Events views.

    • System Events > FortiGate includes events with the tag FortiOS under System.
      These tags are set by the event handler Default FOS System Events. The FortiGate view is only shown in root or Fabric ADOMs.

    • System Events > Local Device includes events with the tag Local under System.
      These tags are set by the event handler Local Device Event. The Local Device view is only shown in a root ADOM.

  • When a security event log triggers an event with an enabled event handler, it will be visible from the different views.
    Example: By Endpoint > Malware Activity shows malware activity under each endpoint, while By Threat > Malware Activity shows endpoints under each entry of malware activity.

Manage default views

To hide default views:
  1. Go to Incidents & Events.
  2. Right-click the view you want to hide.
  3. Select Hide from the context menu.

To disable or enable default views:
  1. Go to Incidents & Events.
  2. Select the gear icon on the bottom right-side of the navigation tree to access the Default Views settings.
  3. Choose which views are displayed by adding or removing a checkmark.
  4. Select Save.
To create and relocate custom views:
  1. Go to Incidents & Events.
  2. Select the view you want to copy.
  3. Select the custom view icon in the top-right corner.
  4. Enter a name for the custom view and assign it to one of the following categories:
    • By Endpoint
    • By Threat
    • System Events
    • Custom View

  5. Select OK.