Administration Guide

Setting up FortiAnalyzer
- Connecting to the GUI
  - FortiAnalyzer Setup wizard
  - Activating VM licenses
- Security considerations
- GUI overview
- Target audience and access level
- Initial setup
- FortiManager features
- Next steps
- Restarting and shutting down
FortiAnalyzer Key Concepts
- Operation modes
- Administrative domains
- Logs
- Log storage
- FortiView dashboard
Device Manager
- ADOMs
- FortiClient EMS devices
- Unauthorized devices
- Using FortiManager to manage FortiAnalyzer devices
- Adding devices
- Managing devices
- Device groups
  - Adding device groups
  - Managing device groups
FortiView
- FortiView
- Monitor
- Enabling and disabling FortiView
Log View and Log Quota Management
- Types of logs collected for each device
- Log messages
- Log groups
- Log browse
- Log and file storage
Fabric View
- Fabric Connectors
- Subnets
- Identity Center
  - Identity Center dashboard
- Asset Center
  - Asset Center dashboard
- Configuring endpoint and end user data sources
Fortinet Security Fabric
- Adding a Security Fabric group
- Displaying Security Fabric topology
- Security Fabric traffic log to UTM log correlation
- Security Fabric ADOMs
- Enabling SAML authentication in a Security Fabric
Incident and Event Management
- Event handlers
- Events
- Incidents
FortiSoC
- Viewing FortiSoC dashboards
- Configuring playbook automation
- Threat Hunting
- Outbreak Alerts
Reports
- How ADOMs affect reports
- Predefined reports, templates, charts, and macros
- Logs used for reports
- How charts and macros extract data from logs
- How auto-cache works
- Generating reports
- Creating reports
- Managing reports
  - Organizing reports into folders
  - Importing and exporting reports
- Report template library
- Chart library
  - Creating charts
  - Managing charts
- Macro library
  - Creating macros
  - Managing macros
- Datasets
- Output profiles
  - Creating output profiles
  - Managing output profiles
- Report languages
- Report calendar
  - Viewing all scheduled reports
  - Managing report schedules
FortiRecorder
- Configuring cameras in the Camera Manager
- Face Recognition
- Watching live and recorded video in the Monitor
- Enabling and disabling FortiRecorder
System Settings
- Dashboard
- Logging Topology
- Network
- RAID Management
- Administrative Domains (ADOMs)
- Certificates
- Log Forwarding
- Fetcher Management
- Event Log
  - Event log filtering
- Task Monitor
- SNMP
- Mail Server
- Syslog Server
  - Send local logs to syslog server
- Meta Fields
- Device logs
- File Management
- Advanced Settings
- FortiGuard
- Restart, shut down, or reset FortiAnalyzer
Administrators
- Trusted hosts
- Monitoring administrators
- Disconnecting administrators
- Managing administrator accounts
- Administrator profiles
- Authentication
- Global administration settings
- Multi-factor authentication
  - Multi-factor authentication with FortiAuthenticator
    - Configuring FortiAuthenticator
    - Configuring FortiAnalyzer
  - Multi-factor authentication with FortiToken Cloud
High Availability
- Configuring HA options
  - Log synchronization
  - Configuration synchronization
- Monitoring HA status
  - If the primary unit fails
- Load balancing
- Upgrading the FortiAnalyzer firmware for an operating cluster
Collectors and Analyzers
- Configuring the Collector
- Configuring the Analyzer
- Fetching logs from the Collector to the Analyzer
Management Extensions
- FortiSIEM MEA
- FortiSOAR MEA
- Enabling management extension applications
  - CLI for management extensions
- Accessing management extension logs
- Checking for new versions and upgrading
Appendix A - Supported RFC Notes
Appendix B - Log Integrity and Secure Log Transfer
- Maximum TLS/SSL version compatibility
Appendix C - FortiAnalyzer Ansible Collection documentation
Change Log

Home FortiAnalyzer 7.2.8 Administration Guide

7.2.8

Predefined correlation handlers

FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Correlation Handler List. From the More dropdown, select Show Predefined.

The following predefined correlation handlers are available:

Event Handler

Description

Default-Brute-Force-Account-Login-Attack-FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type	FortiAnalyzer
Log Type	Event Log
Group By	Device ID
Log messages that match any of the following conditions:	Operation Equal To login failed
Aggregate Expression:	COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login Success
Log Device Type	FortiAnalyzer
Log Type	Event Log
Group By	Device ID
Log messages that match any of the following conditions:	Operation Equal To login
Aggregate Expression:	COUNT >= 1

Correlation Criteria:

Login Failed 5 Times devid = Login Success devid

Default-Brute-Force-Account-Login-Attack-FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type	FortiGate
Log Type	Event Log > System
Group By	Device ID
Log messages that match any of the following conditions:	Log ID Equal To 0100032002
Aggregate Expression:	COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login-Success
Log Device Type	FortiGate
Log Type	Event Log > System
Group By	Device ID
Log messages that match any of the following conditions:	Log ID Equal To 0100032001
Aggregate Expression:	COUNT >= 1

Correlation Criteria:

Login Failed 5 Times devid = Login-Success devid

Default-Suspicious-Traffic-From-Infected-Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

Disabled by default

Event Severity: Medium

Tags: CnC

Threshold Duration: 30 minutes

Correlation Sequence:

Logic Group 1

Traffic to Botnet CnC detected or blocked in virus log
Log Device Type	FortiGate
Log Type	Antivirus
Group By	Source Endpoint
Log messages that match any of the following conditions:	Log ID Equal To 0202009248 Log ID Equal To 0202009249
Aggregate Expression:	COUNT >= 1

Traffic to CnC detected
Log Device Type	FortiGate
Log Type	Traffic Log > Any
Group By	Source Endpoint
Log messages that match any of the following conditions:	tdtype~infected
Aggregate Expression:	COUNT >= 1

Web traffic to CnC detected
Log Device Type	FortiGate
Log Type	Web Filter
Group By	Source Endpoint
Log messages that match any of the following conditions:	tdtype~infected
Aggregate Expression:	COUNT >= 1

DNS traffic to CnC detected
Log Device Type	FortiGate
Log Type	DNS Log
Group By	Source Endpoint
Log messages that match any of the following conditions:	tdtype~infected
Aggregate Expression:	COUNT >= 1

FOLLOWED_BY, within 15m

Logic Group 2

Traffic from endpoint
Log Device Type	FortiGate
Log Type	Traffic Log > Any
Group By	Source Endpoint
Log messages that match any of the following conditions:
Aggregate Expression:	SUM sentbyte >= 100 Mega Byte

Correlation Criteria:

Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint
Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint
Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint
DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint