Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

If you wish to recieve notifications from a pedefined event handler, configure a notification profile and assign it to the event handler. See Creating notification profiles.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Event Handler List. From the More dropdown, select Show Predefined.

The following are a small sample of FortiAnalyzer predefined event handlers.

Event Handler	Description
Default-Compromised Host-Detection-IOC-By-Threat	Disabled by default Rule 1: Traffic to CnC detected Event Severity: Critical Log Type: Traffic Log > Any Group by: Destination IP, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Event Severity: Critical Log Type: Web Filter Group by: Hostname URL, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Event Severity: Critical Log Type: DNS Log Group by: QNAME, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Event Severity: Critical Log Type: Event Log Log messages that match all of the following conditions: logid==0100020214 Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Disabled by default Rule 1: Data leak detected Event Severity: Medium Log Type: DLP Group by: Filter Category, Source Endpoint Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Event Severity: Low Log Type: DLP Group by: Filter Category, Source Endpoint Event Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Disabled by default Rule 1: Malware detected Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009235 or logid==0211009237 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009234 or logid==0211009236 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint Log messages that match all of the following conditions: logid==0201009238 and fsaverdict==malicious Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Requires a FortiCASB connector configured on FortiAnalyzer in Fabric View. See Creating or editing Security Fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks. Disabled by default Rule 1: Unsanctioned Applications detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 0 && siappid >=0 Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 4) == 4 Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 1 && (siflags & 2) == 0 Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Event Severity: Medium Log Type: Event Group by: Log Description Log messages that match the following conditions: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status. Disabled by default Rule 1: Interface status changed to up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events. Disabled by default Rule 1: FortiExtender Authorized Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed Disabled by default Rule 1: Routing information changed Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes Disabled by default Rule 1: Device SNMP query failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down Disabled by default Rule 1: Switch-Controller activity detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default Rule 1: HA device interface failed Event Severity: High Log Type: Event > HA Group by: Device Name, Message Log messages that match all of the following conditions: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Message Log messages that match all of the following conditions: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Log Description Log messages that match all of the following conditions: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes Disabled by default Rule 1: Admin login failed or desabled Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default Rule 1: Device offline detected Event Severity: High Log Type: Application Group by: Logging Device Name, Message Log messages that match all of the following conditions: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default Rule 1: Device shutdown detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="conserve mode" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures Disabled by default Rule 1: User SSL VPN login failed Event Severity: High Log Type: Event > VPN Group by: Device Name, End User Log messages that match all of the following conditions: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Event Severity: Medium Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default Rule 1: SLA failed for jitter Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached Disabled by default Rule 1: Memory report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable 1 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to disable 2 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple rules called Default FOS System Events.

Events are organized by device in the FortiSoC/Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Events rules apply tags to each event, allowing you to identify which Default FOS System Events rule triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

Predefined event handlers

If you wish to recieve notifications from a pedefined event handler, configure a notification profile and assign it to the event handler. See Creating notification profiles.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Event Handler List. From the More dropdown, select Show Predefined.

The following are a small sample of FortiAnalyzer predefined event handlers.

Event Handler	Description
Default-Compromised Host-Detection-IOC-By-Threat	Disabled by default Rule 1: Traffic to CnC detected Event Severity: Critical Log Type: Traffic Log > Any Group by: Destination IP, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Event Severity: Critical Log Type: Web Filter Group by: Hostname URL, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Event Severity: Critical Log Type: DNS Log Group by: QNAME, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Event Severity: Critical Log Type: Event Log Log messages that match all of the following conditions: logid==0100020214 Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Disabled by default Rule 1: Data leak detected Event Severity: Medium Log Type: DLP Group by: Filter Category, Source Endpoint Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Event Severity: Low Log Type: DLP Group by: Filter Category, Source Endpoint Event Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Disabled by default Rule 1: Malware detected Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009235 or logid==0211009237 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009234 or logid==0211009236 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint Log messages that match all of the following conditions: logid==0201009238 and fsaverdict==malicious Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Requires a FortiCASB connector configured on FortiAnalyzer in Fabric View. See Creating or editing Security Fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks. Disabled by default Rule 1: Unsanctioned Applications detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 0 && siappid >=0 Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 4) == 4 Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 1 && (siflags & 2) == 0 Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Event Severity: Medium Log Type: Event Group by: Log Description Log messages that match the following conditions: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status. Disabled by default Rule 1: Interface status changed to up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events. Disabled by default Rule 1: FortiExtender Authorized Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed Disabled by default Rule 1: Routing information changed Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes Disabled by default Rule 1: Device SNMP query failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down Disabled by default Rule 1: Switch-Controller activity detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default Rule 1: HA device interface failed Event Severity: High Log Type: Event > HA Group by: Device Name, Message Log messages that match all of the following conditions: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Message Log messages that match all of the following conditions: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Log Description Log messages that match all of the following conditions: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes Disabled by default Rule 1: Admin login failed or desabled Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default Rule 1: Device offline detected Event Severity: High Log Type: Application Group by: Logging Device Name, Message Log messages that match all of the following conditions: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default Rule 1: Device shutdown detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="conserve mode" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures Disabled by default Rule 1: User SSL VPN login failed Event Severity: High Log Type: Event > VPN Group by: Device Name, End User Log messages that match all of the following conditions: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Event Severity: Medium Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default Rule 1: SLA failed for jitter Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached Disabled by default Rule 1: Memory report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable 1 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to disable 2 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple rules called Default FOS System Events.

Events are organized by device in the FortiSoC/Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Events rules apply tags to each event, allowing you to identify which Default FOS System Events rule triggered the event.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Predefined event handlers