Creating a custom correlation handler
You can create a custom correlation handler from scratch or clone a predefined correlation handler and customize its settings. See Cloning event handlers.
Configuring an correlation handler includes defining the following main sections in the GUI:
Option |
Description |
---|---|
Correlation event handler attributes |
The name, description, data selector, and automation stitch for the correlation handler. This section also includes the threshold duration for the handler. |
Correlation Sequence |
The rules for event generation in sequence and logic group.
|
Correlation Criteria |
The correlation criteria to specify the type of logs that the event handler will look for. The criteria is applied to two rules on a field from each rule. |
Handler Settings |
The event fields, including the event type override, event message, event status, event severity, indicators, and tags. This section also includes the notification profile for the correlation handler. |
To create a new correlation event handler:
- Go to FortiSoC/Incidents & Events > Handlers > Correlation Handler List.
- In the toolbar, click Create New.
The Add New Correlation Event Handler pane displays.
- Configure the following options, and click OK to save the correlation event handler.
Option
Description
Status
Enable or disable the event handler.
Enabled event handlers show a icon in the Status column. Disabled event handlers show a icon in the Status column.
Name
Enter a name for the event handler.
Description
(Optional) Enter a description for the event handler.
Automation Stitch
Enable or disable automation stitch.
When enabled, FortiAnalyzer sends a notification to FortiGate when events are generated by the event handler. The events are available in the FortiAnalyzer GUI as well. For more information, see Using the Automation Stitch for event handlers.
Data Selector
Select a data selector for the event handler.
This selects devices, subnets, and filters used for the event handler. See Creating data selectors.
Threshold Duration
Enter the threshold duration for the correlation handler in minutes.
The logs must match the criteria in correlation sequence within this time to generate an event.
Correlation Sequence
Add Rule
Click the icon to add a rule. The Add New Rule pane displays. Configure the options below and click OK to save the rule.
After creating the rules, make sure they are in the correct correlation sequence. You can drag and drop the rules to re-order them, if needed.
Select the correlation between each of the rules:
- AND
- AND_NOT
- OR
- FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
- NOT_FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
The rules must be met in the correlation sequence for the event handler to generate an event.
Name
Enter a name for the rule.
Log Device Type
If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.
The Fabric log device type can be used to generate alerts from SIEM logs when SIEM logs are available.
Log Type
Select the log type from the dropdown list.
When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.
Log Subtype
Select the category of event that this event handler monitors. The available options depend on the platform type.
This option is only available when the Log Type has a subtype. For example, Event Log and Traffic Log have log subtypes which can be selected from the dropdown.
Group By
Select how to group the events. Click Add beside the Group By field to add up to two additional Group By fields, to a maximum of three.
Logs match
Select All or Any of the following conditions.
Click plus (+) to insert a new condition. You can insert multiple conditions.
Configure the condition(s):
Log Field: Select a log field from the dropdown.
After the log device and log type are selected, the Log Field dropdown list will only include log fields that belong to the specified log type. For example, the Botnet IP log field is available when the Log Type is DNS, but not available when the Log Type is Event Log.Match Criteria: Select an operator from the dropdown. The available options depends on the selected log field.
Some log fields, such as Source Port, will provide a variety of operators in the dropdown list, such as Equal To, Not Equal To, Greater Than or Equal To, Less Than or Equal To, Greater Than, and Less Than.
Other log fields, such as Log Description, will be limited to Equal To and Not Equal To.Value: Select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
If there is no dropdown list provided by FortiAnalyzer, you must manually enter a value to find in the raw log.
If a dropdown list is provided, you can select a value from the list. For some log fields, such as Level, the dropdown list also allows you to enter a custom value. If there is no textbox to enter a custom value in the dropdown list, you must use the Generic Text Filter instead.
To delete a condition, click the x next to the condition.
Generic Text Filter
Enter a generic text filter. See Using the Generic Text Filter.
For information on text format, hover the cursor over the help icon. The operator
~
means contains and!~
means does not contain.Aggregate Expression
Enter the minimum threshold for the rule.
- COUNT: enter the minimum count threshold.
- COUNT_DISTINCT: select the field that must be distinct, such as Source IP or Application, and enter the minimum count threshold.
- SUM: select the measure, and enter the minimum sum threshold.
The SUM option is used for data exfiltration detection. This option is only supported in Fabric ADOMs.
Add Logic Group
Add a logic group.
You must select a correlation between groups (AND, AND_NOT, OR, FOLLOWED_BY, or NOT_FOLLOWED_BY). All groups must be met in correlation sequence for the correlation event handler to generate an event.
Show Raw Config
Enable to display the raw config of the correlation sequence.
Edits made to the raw config will appear above in the correlation sequence fields. If there is an error in the text, the fields will not display and you will not be able to save the changes.
Correlation Criteria
Specify the fields that the event handler will look for to correlate the rules. Each correlation criteria is applied to two rules, using a field from each rule.
Configure the following options for each correlation criteria:
Rule: Select two rules to create a correlation criteria for.
Field: Select a field for each rule in the correlation criteria. The fields available in the dropdown are determined by the Group By field in the rule.
Match Criteria: Select an operator from the dropdown. The available options depends on the selected fields.
Use the buttons in the Action column to add (+) or remove (x) correlation criteria.
Handler Settings
Event Type Override
Specify a custom event type, or leave this field blank to use the default value.
Event Message
(Optional) Enter a custom event message.
The default message is the Group By value. You can use variables in the event message.
Event Status
Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, (Blank). You can use a custom event status by clicking the plus (+) that appears in the Event Status dropdown.
Event statuses, including custom statuses, are displayed in the Event Status column in the Event Monitor.
Event Severity
Select the severity from the dropdown list: Critical, High, Medium, or Low.
Tags
(Optional) Enter custom tags.
Tags can be used as a filter when using default or custom views.
Indicators
(Optional) Add indicators by clicking the plus (+). You can configure the Log Field, Indicator Type, and Count for each indicator created in an event handler. Use the buttons in the Action column to add (+) or remove (x) indicators. Up to five indicators can be created.
When Indicators is selected in Event Monitor > Display Options, the Indicators column displays indicator types for detected events. You can see additional details when clicking on an indicator. See Events
If an incident is raised from an event that includes indicators, they can be viewed in the Indicators tab of the incident analysis page. See Analyzing an incident.
Additional Info
Specify what to show in the Additional Info column of the Event Monitor.
Select Use system default or Use custom message. A custom message can include variables and log field names. For more information, hover over the help icon.
Notifications
Select a notification profile for the event handler. See Creating notification profiles.