Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

If you wish to recieve notifications from a pedefined event handler, configure a notification profile and assign it to the event handler. See Creating notification profiles.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Event Handler List. From the More dropdown, select Show Predefined.

The following are a small sample of FortiAnalyzer predefined event handlers.

Event Handler	Description
Default-Compromised Host-Detection-IOC-By-Threat	Disabled by default Rule 1: Traffic to CnC detected Event Severity: Critical Log Type: Traffic Log > Any Group by: Destination IP, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Event Severity: Critical Log Type: Web Filter Group by: Hostname URL, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Event Severity: Critical Log Type: DNS Log Group by: QNAME, Source Endpoint Log messages that match all of the following conditions: tdtype~infected Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Event Severity: Critical Log Type: Event Log Log messages that match all of the following conditions: logid==0100020214 Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Disabled by default Rule 1: Data leak detected Event Severity: Medium Log Type: DLP Group by: Filter Category, Source Endpoint Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Event Severity: Low Log Type: DLP Group by: Filter Category, Source Endpoint Event Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Disabled by default Rule 1: Malware detected Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009235 or logid==0211009237 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint, Virus Name Log messages that match all of the following conditions: logid==0211009234 or logid==0211009236 Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Event Severity: Critical Log Type: AntiVirus Group by: Source Endpoint Log messages that match all of the following conditions: logid==0201009238 and fsaverdict==malicious Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Requires a FortiCASB connector configured on FortiAnalyzer in Fabric View. See Creating or editing Security Fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks. Disabled by default Rule 1: Unsanctioned Applications detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 0 && siappid >=0 Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 4) == 4 Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Event Severity: High Log Type: Application Control Group by: Source IP, Application Name Log messages that match all of the following conditions: (siflags & 1) == 1 && (siflags & 2) == 0 Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Event Severity: Medium Log Type: Event Group by: Log Description Log messages that match the following conditions: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status. Disabled by default Rule 1: Interface status changed to up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events. Disabled by default Rule 1: FortiExtender Authorized Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Event Severity: High Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Event Severity: Critical Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Event Severity: Medium Log Type: Event > FortiExtender Group by: SN, Log Description Log messages that match all of the following conditions: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed Disabled by default Rule 1: Routing information changed Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Type: Event > Router Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes Disabled by default Rule 1: Device SNMP query failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down Disabled by default Rule 1: Switch-Controller activity detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Message Log messages that match all of the following conditions: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Event Severity: Medium Log Type: Event > Any Group by: Device Name, Log Description Log messages that match all of the following conditions: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default Rule 1: HA device interface failed Event Severity: High Log Type: Event > HA Group by: Device Name, Message Log messages that match all of the following conditions: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Event Severity: High Log Type: Event > HA Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, SSID Log messages that match all of the following conditions: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Message Log messages that match all of the following conditions: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Event Severity: Medium Log Type: Event > Wireless Group by: Device Name, Log Description Log messages that match all of the following conditions: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Event Severity: Medium Log Type: Event > Wireless Group by: Device Name Log messages that match all of the following conditions: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Event Severity: Medium Log Type: Event > Wireless Group by: SSID, Log Description Log messages that match all of the following conditions: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes Disabled by default Rule 1: Admin login failed or desabled Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default Rule 1: Device offline detected Event Severity: High Log Type: Application Group by: Logging Device Name, Message Log messages that match all of the following conditions: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Event Severity: High Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Message Log messages that match all of the following conditions: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default Rule 1: Device shutdown detected Event Severity: Critical Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="conserve mode" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Event Severity: High Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Event Severity: Medium Log Type: Event > System Group by: Device Name, Log Description Log messages that match all of the following conditions: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures Disabled by default Rule 1: User SSL VPN login failed Event Severity: High Log Type: Event > VPN Group by: Device Name, End User Log messages that match all of the following conditions: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Event Severity: High Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Event Severity: Medium Log Type: Event > VPN Group by: Device Name, Message Log messages that match all of the following conditions: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default Rule 1: SLA failed for jitter Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Event Severity: High Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Health Check Log messages that match all of the following conditions: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Event Severity: Medium Log Type: Event > SD-WAN Group by: Device Name, Log Description Log messages that match all of the following conditions: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached Disabled by default Rule 1: Memory report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable 1 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to disable 2 Event Severity: Medium Log Type: Event Group by: Type, Subtype Log messages that match all of the following conditions: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple rules called Default FOS System Events.

Events are organized by device in the FortiSoC/Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Events rules apply tags to each event, allowing you to identify which Default FOS System Events rule triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

Event Handler

Description

Default-Compromised Host-Detection-IOC-By-Threat

Disabled by default

Rule 1: Traffic to CnC detected

Event Severity: Critical
Log Type: Traffic Log > Any
Group by: Destination IP, Source Endpoint
Log messages that match all of the following conditions:
- tdtype~infected
Tags: IP, C&C, Ioc_Rescan
Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport}

Rule 2: Web traffic to CnC detected

Event Severity: Critical
Log Type: Web Filter
Group by: Hostname URL, Source Endpoint
Log messages that match all of the following conditions:
- tdtype~infected
Tags: C&C, URL, Ioc_Rescan
Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport}

Rule 3: DNS traffic to CnC detected

Event Severity: Critical
Log Type: DNS Log
Group by: QNAME, Source Endpoint
Log messages that match all of the following conditions:
- tdtype~infected
Tags: C&C, Domain, Ioc_Rescan
Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport}

Rule 4: Traffic to CnC event detected by FortiGate

Event Severity: Critical
Log Type: Event Log
Log messages that match all of the following conditions:
- logid==0100020214
Tags: C&C
Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}

Default-Data-Leak-Detection-By-Threat

Disabled by default

Rule 1: Data leak detected

Event Severity: Medium
Log Type: DLP
Group by: Filter Category, Source Endpoint
Tags: Signature, Leak
Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}

Rule 2: Data leak blocked

Event Severity: Low
Log Type: DLP
Group by: Filter Category, Source Endpoint
Event Status: Mitigated
Tags: Signature, Leak
Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}

Default-Sandbox-Detections-By-Endpoint

Disabled by default

Rule 1: Malware detected

Event Severity: Critical
Log Type: AntiVirus
Group by: Source Endpoint, Virus Name
Log messages that match all of the following conditions:
- logid==0211009235 or logid==0211009237
Tags: Sandbox, Signature, Malware
Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref}

Rule 2: Malware blocked

Event Severity: Critical
Log Type: AntiVirus
Group by: Source Endpoint, Virus Name
Log messages that match all of the following conditions:
- logid==0211009234 or logid==0211009236
Tags: Sandbox, Signature, Malware
Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref}

Rule 3: Sandbox detected Malware

Event Severity: Critical
Log Type: AntiVirus
Group by: Source Endpoint
Log messages that match all of the following conditions:
- logid==0201009238 and fsaverdict==malicious
Tags: Sandbox, Malware
Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}

Default-Shadow-IT-Events

Requires a FortiCASB connector configured on FortiAnalyzer in Fabric View. See Creating or editing Security Fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks.

Disabled by default

Rule 1: Unsanctioned Applications detected

Event Severity: High
Log Type: Application Control
Group by: Source IP, Application Name
Log messages that match all of the following conditions:
- (siflags & 1) == 0 && siappid >=0
Tags: Unsanctioned_App
Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}

Rule 2: File Exfiltration Attempts detected

Event Severity: High
Log Type: Application Control
Group by: Source IP, Application Name
Log messages that match all of the following conditions:
- (siflags & 4) == 4
Tags: File_Exfiltration
Custom Message: File exfiltration detected on: ${devname} with message: ${msg}

Rule 3: Unsanctioned Users detected

Event Severity: High
Log Type: Application Control
Group by: Source IP, Application Name
Log messages that match all of the following conditions:
- (siflags & 1) == 1 && (siflags & 2) == 0
Tags: Unsanctioned_User
Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}

Local Device Event

Available only in the Root ADOM.

Enabled by default

Data Selector: Default Local Device Selector

Rule 1: Critical or important events

Event Severity: Medium
Log Type: Event
Group by: Log Description
Log messages that match the following conditions:
- Level Greater Than or Equal To Warning
Tags: System, Local

Default-NOC-Interface-Events

Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status.

Disabled by default

Rule 1: Interface status changed to up

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="interface-stat-change" and status="UP"
Tags: NOC, Interface
Custom message: Device ${devname}, status changed to ${status} with message ${msg}.

Rule 2: Interface status changed to down

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="interface-stat-change" and status="DOWN"
Tags: NOC, Interface
Custom message: Device ${devname}, status changed to ${status} with message ${msg}.

Rule 3: DNS server config added

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cfgpath="system.dns-server" and action="Add"
Tags: NOC, Interface, DNS
Custom Message: Device ${devname}, DNS server status changed with message ${msg}.

Rule 4: DNS server config deleted

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cfgpath="system.dns-server" and action="Delete"
Tags: NOC, Interface, DNS
Custom Message: Device ${devname}, DNS server status changed with message ${msg}.

Default-NOC-FortiExtender-Events

Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events.

Disabled by default

Rule 1: FortiExtender Authorized

Event Severity: Medium
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- action="FortiExtender Authorized"
Tags: NOC, FortiExtender
Custom message: Device: ${ip} ${action} with message: ${msg}

Rule 2: Warning event detected

Event Severity: High
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- level="warning"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 3: Alert event detected

Event Severity: High
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- level="alert"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 4: Critical event detected

Event Severity: Critical
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- level="critical"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 5: Error event detected

Event Severity: Medium
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- level="error"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 6: Emergency event detected

Event Severity: Critical
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- level="emergency"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 7: FortiExtender controller activity detected

Event Severity: Medium
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- logid="0111046401" and logdesc="FortiExtender controller activity"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Rule 8: FortiExtender controller activity error detected

Event Severity: Medium
Log Type: Event > FortiExtender
Group by: SN, Log Description
Log messages that match all of the following conditions:
- logid="0111046402" and logdesc="FortiExtender controller activity error"
Tags: NOC, FortiExtender
Custom message: ${action} on ${ip} with message: ${msg}

Default-NOC-Routing-Events

Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed

Disabled by default

Rule 1: Routing information changed

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc="Routing information changed"
Tags: NOC, Routing
Custom message: ${logdesc} on ${devname} with message ${msg}

Rule 2: BGP neighbor status changed

Event Severity: Medium
Log Type: Event > Router
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc="BGP neighbor status changed"
Tags: NOC, Routing
Custom message: ${devname}. BGP neighbor status changed with message ${msg}

Rule 3: OSPF or OSPF6 neighbor status changed

Event Severity: Medium
Log Type: Event > Router
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed"
Tags: NOC, Routing
Custom message: ${logdesc} on ${devname} with message ${msg}

Rule 4: Neighbor table changed

Event Severity: Medium
Log Type: Event > Router
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="neighbor table change"
Tags: NOC, Routing
Custom message: ${logdesc} on ${devname} with message ${msg}

Rule 5: VRRP state changed

Event Severity: Medium
Log Type: Event > Router
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="VRRP state changed"
Tags: NOC, Routing
Custom message: ${logdesc} on ${devname} with message ${msg}

Default-NOC-Network-Events

Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes

Disabled by default

Rule 1: Device SNMP query failed

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0100029021" AND logdesc="SNMP query failed"
Tags: NOC, Network
Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Rule 2: Device routing information changed

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Routing information changed"
Tags: NOC, Network
Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Rule 3: DHCP client lease granted or usage high

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full"
Tags: NOC, Network
Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg}

Rule 4: SNMP enabled

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable]
Tags: NOC, Network
Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}.

Rule 5: SNMP disabled

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable]
Tags: NOC, Network
Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}.

Rule 6: DHCP server status changed

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cfgpath="system.dhcp.server" and logdesc="Object attribute configured"
Tags: NOC, Network
Custom message: DHCP server status change ${cfgattr} with message ${msg}.

Rule 7: DHCP lease renewed

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- dhcp_msg="Ack" and logdesc="DHCP Ack log"
Tags: NOC, Network
Custom message: Host ${hostname} with message ${msg}.

Rule 8: DHCP lease released

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- dhcp_msg="Release" and logdesc="DHCP Release log"
Tags: NOC, Network
Custom message: Host ${hostname} with message ${msg}.

Default-NOC-Switch-Events

Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down

Disabled by default

Rule 1: Switch-Controller activity detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Message
Log messages that match all of the following conditions:
- (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning")
Tags: NOC, Switch, Controller
Custom message: ${logdesc}

Rule 2: Vlan interface change has occurred

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc='FortiSwitch system' and msg~"interface vlan"
Tags: NOC, Switch, Controller
Custom message: Device ${devname} interface vlan change with message: ${msg}

Rule 3: Port switch detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc="FortiSwitch link" AND msg~"switch port"
Tags: NOC, Switch, Controller
Custom message: ${logdesc} on Device: ${devname} with message: ${msg}

Rule 4: Device flap detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Message
Log messages that match all of the following conditions:
- msg~"flap"
Tags: NOC, Switch, Controller
Default message

Rule 5: Device LAG-MCLAG status change

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- msg~"lag" OR msg~"mclag"
Tags: NOC, Switch, Controller
Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg}

Rule 6: Device MCLAG split-brain detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- log_id=0115032695 and msg~"MCLAG split-brain"
Tags: NOC, Switch, Controller
Custom message: Device ${devname} ${msg}.

Rule 7: Device cable diagnose detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- log_id=0115032699 and msg~"CABLE DIAGNOSE"
Tags: NOC, Switch, Controller
Custom message: Device ${devname} ${msg}.

Rule 8: Device come up detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- log_id=="0115032695" and msg~"come up"
Tags: NOC, Switch, Controller
Custom message: Device ${devname} ${msg}.

Rule 9: Device gone down detected

Event Severity: Medium
Log Type: Event > Any
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- log_id=="0115032695" and msg~"gone down"
Tags: NOC, Switch, Controller
Custom message: Device ${devname} ${msg}.

Default-NOC-HA-Events

Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status.

Disabled by default

Rule 1: HA device interface failed

Event Severity: High
Log Type: Event > HA
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc=="HA device interface failed" and logid=="0108037898"
Tags: NOC, HA, Cluster
Default message

Rule 2: Device set as HA primary

Event Severity: High
Log Type: Event > HA
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Device set as HA primary"
Tags: NOC, HA, Cluster
Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg}

Rule 3: Cluster state moved or Heartbeat device interface down

Event Severity: High
Log Type: Event > HA
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down"
Tags: NOC, HA, Cluster
Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role}

Rule 4: Synchronization activity detected

Event Severity: High
Log Type: Event > HA
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master"
Tags: NOC, HA, Cluster
Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status}

Rule 5: FortiAnalyzer connection up

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="connect" and status="success" and logdesc="FortiAnalyzer connection up"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${msg}.

Rule 6: FortiAnalyzer connection failed

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${msg}.

Rule 7: Upstream connection with CSF member established and authorized

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
direction="upstream" and logdesc="Connection with CSF member established and authorized"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${msg}.

Rule 8: Upstream connection with authorized CSF member terminated

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- direction="upstream" and logdesc="Connection with authorized CSF member terminated"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${msg}.

Rule 9: FortiManager tunnel connection up

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="connect" and status="success" and logdesc="FortiManager tunnel connection up"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${logdesc} with message - ${msg}.

Rule 10: FortiManager tunnel connection down

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- action="connect" and status="failure" and logdesc="FortiManager tunnel connection down"
Tags: NOC, HA, Cluster
Custom message: Device ${devname} ${logdesc} with message - ${msg}.

Default-NOC-Wireless-Events

Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down.

Disabled by default

Rule 1: Fake AP detected

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name, SSID
Log messages that match all of the following conditions:
- logid="0104043567" AND logdesc=="Fake AP detected"
Tags: NOC, Wireless, Wifi, AP
Custom message: ${logdesc}. SN: ${sndetected}

Rule 2: Rogue AP detected

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name, SSID
Log messages that match all of the following conditions:
- logid=="0104043563" AND logdesc=="Rogue AP detected"
Tags: NOC, Wireless, Wifi, AP
Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg}

Rule 3: Wireless event log id matched

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name, Message
Log messages that match all of the following conditions:
- subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553")
Tags: NOC, Wireless, Wifi, AP
Custom message: ${logdesc}. of AP: ${ap}

Rule 4: Wireless client activity detected

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected")
Tags: NOC, Wireless, Wifi, AP
Custom message: ${logdesc} for ${ssid} with message: ${msg}

Rule 5: Signal-to-noise ratio is poor

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name
Log messages that match all of the following conditions:
- snr<="24"
Tags: NOC, Wireless, Wifi, AP
Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB.

Rule 6: Signal-to-noise ratio is fair

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name
Log messages that match all of the following conditions:
- snr>="25" and snr<="40"
Tags: NOC, Wireless, Wifi, AP
Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB.

Rule 7: Signal-to-noise ratio on is excellent

Event Severity: Medium
Log Type: Event > Wireless
Group by: Device Name
Log messages that match all of the following conditions:
- snr>="41"
Tags: NOC, Wireless, Wifi, AP
Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB.

Rule 8: Physical AP radio ssid up

Event Severity: Medium
Log Type: Event > Wireless
Group by: SSID, Log Description
Log messages that match all of the following conditions:
- logdesc="Physical AP radio ssid up" and action="ssid-up"
Tags: NOC, Wireless, Wifi, AP
Custom message: Device ${sn} SSID status change with message ${msg}.

Rule 9: Physical AP radio ssid down

Event Severity: Medium
Log Type: Event > Wireless
Group by: SSID, Log Description
Log messages that match all of the following conditions:
- logdesc="Physical AP radio ssid down" and action="ssid-down"
Tags: NOC, Wireless, Wifi, AP
Custom message: Device ${sn} SSID status change with message ${msg}.

Default-NOC-Security-Events

Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes

Disabled by default

Rule 1: Admin login failed or desabled

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail"
Tags: NOC, Security, Login, Password
Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg}

Rule 2: Admin password expired

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Admin password expired"
Tags: NOC, Security, Login, Password
Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Rule 3: Admin disconnected

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected"
Tags: NOC, Security, Login, Password
Custom message: ${logdesc} on device: ${devname} with message: ${msg}

Rule 4: AV or IPS change detected

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed"
Tags: NOC, Security, Login, Password
Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Default-NOC-Fabric-Events

Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates.

Disabled by default

Rule 1: Device offline detected

Event Severity: High
Log Type: Application
Group by: Logging Device Name, Message
Log messages that match all of the following conditions:
- desc="Device offline"
Tags: NOC, Fabric
Custom message: ${logdev_id} is offline

Rule 2: FortiAnalyzer connection down detected

Event Severity: High
Log Type: Event > System
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc="FortiAnalyzer connection down"
Tags: NOC, Fabric
Default message

Rule 3: Connection with authorized CSF member terminated

Event Severity: High
Log Type: Event > System
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc="Connection with authorized CSF member terminated"
Tags: NOC, Fabric
Custom message: ${logdesc} on: ${devid} due to: ${reason}

Rule 4: Automation stitch triggered

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc="Automation stitch triggered"
Tags: NOC, Fabric
Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction}

Rule 5: Device license failed or expiring detected

Event Severity: Critical
Log Type: Event > System
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc~"license failed" OR logdesc~"license expiring"
Tags: NOC, Fabric
Custom message: ${logdesc} on: ${devid}

Rule 6: System update or failure detected

Event Severity: Critical
Log Type: Event > System
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logdesc~"update" AND logdesc~"failed"
Tags: NOC, Fabric
Custom message: ${logdesc} on: ${devname} with message: ${msg}

Rule 7: Security fabric settings change detected

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed"
Tags: NOC, Fabric
Custom message: Device: ${devname} change with message: ${msg}

Default-NOC-System-Events

Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode.

Disabled by default

Rule 1: Device shutdown detected

Event Severity: Critical
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc="Device shutdown"
Tags: NOC, System, Power, CPU, Memory, Storage
Custom message: ${devname} experienced $logdesc with message: ${msg}

Rule 2: Device conserve mode detected

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="conserve mode"
Tags: NOC, System, Power, CPU, Memory, Storage
Custom message: ${logdesc} on Device: ${devname} with message ${msg}

Rule 3: Disk or memory is full

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full"
Tags: NOC, System, Power, CPU, Memory, Storage
Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Rule 4: Device high CPU consumption detected

Event Severity: High
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- cpu>="80"
Tags: NOC, System, Power, CPU, Memory, Storage
Custom message: ${devid} performance cpu: ${cpu}

Rule 5: Device high memory consumption detected

Event Severity: Medium
Log Type: Event > System
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- mem>="75"
Tags: NOC, System, Power, CPU, Memory, Storage
Custom message: ${devid} performance memory: ${memory}

Default-NOC-VPN-Events

Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures

Disabled by default

Rule 1: User SSL VPN login failed

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, End User
Log messages that match all of the following conditions:
- logid=="0101039426" and action=="ssl-login-fail"
Tags: NOC, VPN
Custom message: ${logdesc} due to: ${reason}

Rule 2: IPsec phase 1 error or status fail detected

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, Message
Log messages that match all of the following conditions:
- (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail")
Tags: NOC, VPN
Custom message: ${logdesc} due to: ${status} with reason: ${reason}

Rule 3: IPsec ESP error detected

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logid=="0101037131" and logdesc=="IPsec ESP"
Tags: NOC, VPN
Custom message: ${status} on: ${devname}, ${error_num}

Rule 4: IPsec DPD failed

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logid=="0101037136" and logdesc=="IPsec DPD failed"
Tags: NOC, VPN
Custom message: ${msg} on device: ${devname}

Rule 5: Device tunnel-up or tunnel-down detected

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0101037138" and (action="tunnel-up" or action= "tunnel-down")
Tags: NOC, VPN
Custom message: ${msg} due to: ${action}

Rule 6: IPsec phase 2 error detected

Event Severity: High
Log Type: Event > VPN
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logid=="0101037125" and logdesc=="IPsec phase 2 error"
Tags: NOC, VPN
Custom message: ${logdesc} due to: ${reason}

Rule 7: Device phase2-up or phase2-down detected

Event Severity: Medium
Log Type: Event > VPN
Group by: Device Name, Message
Log messages that match all of the following conditions:
- logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down")
Tags: NOC, VPN
Custom message: ${logdesc} due to: ${action}

Default-NOC-SD-WAN-Events

Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change.

Disabled by default

Rule 1: SLA failed for jitter

Event Severity: High
Log Type: Event > SD-WAN
Group by: Device Name, Health Check
Log messages that match all of the following conditions:
- subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed"
Tags: NOC, SD-WAN
Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}.

Rule 2: SLA failed for latency

Event Severity: High
Log Type: Event > SD-WAN
Group by: Device Name, Health Check
Log messages that match all of the following conditions:
- subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed"
Tags: NOC, SD-WAN
Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}.

Rule 3: SLA failed for packetloss

Event Severity: High
Log Type: Event > SD-WAN
Group by: Device Name, Health Check
Log messages that match all of the following conditions:
- subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed"
Tags: NOC, SD-WAN
Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}.

Rule 4: Device status changed to die

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0113022925" AND newvalue="die"
Tags: NOC, SD-WAN
Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Rule 5: Device status changed to alive.

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0113022925" AND newvalue="alive"
Tags: NOC, SD-WAN
Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Rule 6: Device status is up

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Health Check
Log messages that match all of the following conditions:
- logid="0113022925" AND status=="up"
Tags: NOC, SD-WAN
Custom message: Device: ${devname} ${msg} status is ${status}.

Rule 7: Device status is down

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Health Check
Log messages that match all of the following conditions:
- logid="0113022925" AND status=="down"
Tags: NOC, SD-WAN
Custom message: Device: ${devname} ${msg} status is ${status}.

Rule 8: Number of pass member changed

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0113022923" AND msg="Number of pass member changed."
Tags: NOC, SD-WAN
Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname}

Rule 9: Member status changed

Event Severity: Medium
Log Type: Event > SD-WAN
Group by: Device Name, Log Description
Log messages that match all of the following conditions:
- logid="0113022923" AND msg="Member status changed. Member out-of-sla."
Tags: NOC, SD-WAN
Custom message: ${msg}. Member is now ${member} on ${devname}.

Default-NOC-Docker-Events

Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached

Disabled by default

Rule 1: Memory report detected

Event Severity: Medium
Log Type: Event
Group by: Type, Subtype
Log messages that match all of the following conditions:
- log_id=="0042010266" and msg~"MEM"
Tags: NOC, Docker
Custom message: Device ${devname} with message ${msg}.

Rule 2: CPU report detected

Event Severity: Medium
Log Type: Event
Group by: Type, Subtype
Log messages that match all of the following conditions:
- log_id=="0042010266" and msg~"CPU"
Tags: NOC, Docker
Custom message: Device ${devname} with message ${msg}.

Rule 3: Status changed to disable 1

Event Severity: Medium
Log Type: Event
Group by: Type, Subtype
Log messages that match all of the following conditions:
- log_id="0001010026" and changes~"status=disable"
Tags: NOC, Docker
Custom message: Device ${devname} with changes ${changes}.

Rule 4: Status changed to disable 2

Event Severity: Medium
Log Type: Event
Group by: Type, Subtype
Log messages that match all of the following conditions:
- log_id="0001010026" and changes~"status=disable"
Tags: NOC, Docker
Custom message: Device ${devname} with changes ${changes}.

Default Event Handler

Example Log

Local Device Event

id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163

Default-Compromised Host-Detection-by IOC-By-Threat

date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011

Default-Risky-App-Detection-By-Threat

date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011

Default_NOC_Routing_Events

date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

Administration Guide

Predefined event handlers