Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 6.4.15 Administration Guide
    6.4.15
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Predefined event handlers

    Predefined event handlers

    FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

    Note

    In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

    The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events/FortiSoC > Event Monitor > Event Handler List and select Show Predefined.

    Event Handler

    Description

    Default-Compromised Host-Detection-by IOC-By-Threat

    Disabled by default

    Filter 1:

    • Event Severity: Critical
    • Log Type: Traffic Log
    • Group by: dstip
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, IP, C&C

    Filter 2:

    • Event Severity: Critical
    • Log Type: Web Filter
    • Group by: Hostname URL
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, C&C, URL

    Filter 3:

    • Event Severity: Critical
    • Log Type: DNS Log
    • Group by: QNAME
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, C&C, Domain

    Default-Data-Leak-Detection-By-Threat

    Disabled by deafult

    Filter 1:

    • Event Severity: Medium
    • Log Type: DLP
    • Group by: Filter Category, Source Endpoint
    • Tags: Signature, Leak

    Filter 2:

    • Event Severity: Low
    • Log Type: DLP
    • Group by: Filter Category
    • Event Status: Mitigated
    • Tags: Signature, Leak

    Default-Sandbox-Detections-By-Endpoint

    Disabled by default

    Filter 1:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint, Virus Name
    • Log messages that match all of the following conditions:
      • logid==0211009235 or logid==0211009237
    • Tags: By_Endpoint, Sandbox, Signature, Malware

    Filter 2:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint, Virus Name
    • Log messages that match all of the following conditions:
      • logid==0211009234 or logid==0211009236
    • Tags: By_Endpoint, Sandbox, Signature, Malware

    Filter 3:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint
    • Log messages that match all of the following conditions:
      • logid==0201009238 and fsaverdict==malicious
    • Tags: By_Endpoint, Sandbox, Malware

    Local Device Event

    Available only in the Root ADOM.

    Enabled by default

    • Devices: Local Device
    • Event Severity: Medium
    • Log Type: Event Log
    • Event Type: Any
    • Group By: Device ID
    • Log messages that match the following conditions:
      • Level Equal To Emergency
    • Tags: System, Local

    Below are examples of raw logs that would trigger the associated default event handler.

    Default Event Handler

    Example Log

    Local Device Event

    		 
    id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163

    Default-Compromised Host-Detection-by IOC-By-Threat

    		 
    date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
    Default-Risky-App-Detection-By-Threat 
    date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011

    FortiOS system events

    FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

    Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

    Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

    Tooltip

    If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

    Previous
    Next

    Predefined event handlers

    Predefined event handlers

    FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

    Note

    In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

    The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events/FortiSoC > Event Monitor > Event Handler List and select Show Predefined.

    Event Handler

    Description

    Default-Compromised Host-Detection-by IOC-By-Threat

    Disabled by default

    Filter 1:

    • Event Severity: Critical
    • Log Type: Traffic Log
    • Group by: dstip
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, IP, C&C

    Filter 2:

    • Event Severity: Critical
    • Log Type: Web Filter
    • Group by: Hostname URL
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, C&C, URL

    Filter 3:

    • Event Severity: Critical
    • Log Type: DNS Log
    • Group by: QNAME
    • Log messages that match all of the following conditions:
      • tdtype~infected
    • Tags: By_Endpoint, C&C, Domain

    Default-Data-Leak-Detection-By-Threat

    Disabled by deafult

    Filter 1:

    • Event Severity: Medium
    • Log Type: DLP
    • Group by: Filter Category, Source Endpoint
    • Tags: Signature, Leak

    Filter 2:

    • Event Severity: Low
    • Log Type: DLP
    • Group by: Filter Category
    • Event Status: Mitigated
    • Tags: Signature, Leak

    Default-Sandbox-Detections-By-Endpoint

    Disabled by default

    Filter 1:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint, Virus Name
    • Log messages that match all of the following conditions:
      • logid==0211009235 or logid==0211009237
    • Tags: By_Endpoint, Sandbox, Signature, Malware

    Filter 2:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint, Virus Name
    • Log messages that match all of the following conditions:
      • logid==0211009234 or logid==0211009236
    • Tags: By_Endpoint, Sandbox, Signature, Malware

    Filter 3:

    • Event Severity: Critical
    • Log Type: AntiVirus
    • Group by: Source Endpoint
    • Log messages that match all of the following conditions:
      • logid==0201009238 and fsaverdict==malicious
    • Tags: By_Endpoint, Sandbox, Malware

    Local Device Event

    Available only in the Root ADOM.

    Enabled by default

    • Devices: Local Device
    • Event Severity: Medium
    • Log Type: Event Log
    • Event Type: Any
    • Group By: Device ID
    • Log messages that match the following conditions:
      • Level Equal To Emergency
    • Tags: System, Local

    Below are examples of raw logs that would trigger the associated default event handler.

    Default Event Handler

    Example Log

    Local Device Event

    		 
    id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163

    Default-Compromised Host-Detection-by IOC-By-Threat

    		 
    date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
    Default-Risky-App-Detection-By-Threat 
    date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011

    FortiOS system events

    FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

    Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

    Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

    Tooltip

    If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

    Previous
    Next