Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.0 Administration Guide
    7.4.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Predefined correlation handlers

    Predefined correlation handlers

    FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

    If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

    To view predefined event handlers in the FortiAnalyzer GUI, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined. Predefined correlation handlers are named according to their use case. For example, there are predefined correlaton handlers for:

    • CnC (Command and Control)

    • Credential Access

    • Defense Evasion

    • Execution

    • Exfiltration

    • Initial Access

    • Lateral Movement

    • Persistence

    • Privilege

    The following are a small sample of FortiAnalyzer predefined correlation handlers.

    Correlation Handler

    Description

    CnC - Default-Suspicious-Traffic-From-Infected-Endpoint

    This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

    Disabled by default

    Event Severity: Medium

    Tags: CnC

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Logic Group 1

    Traffic to Botnet CnC detected or blocked in virus log
    Log Device Type FortiGate
    Log Type Antivirus
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    • Log ID Equal To 0202009248

    • Log ID Equal To 0202009249

    Aggregate Expression:

    COUNT >= 1

    OR

    Traffic to CnC detected
    Log Device Type FortiGate
    Log Type Traffic Log > Any
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    OR

    Web traffic to CnC detected
    Log Device Type FortiGate
    Log Type Web Filter
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    OR

    DNS traffic to CnC detected
    Log Device Type FortiGate
    Log Type DNS Log
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    FOLLOWED_BY, within 15m

    Logic Group 2

    Traffic from endpoint
    Log Device Type FortiGate
    Log Type Traffic Log > Any
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    Aggregate Expression:

    SUM sentbyte >= 100 Mega Byte

    Correlation Criteria:

    • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

    • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

    • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

    • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint

    Credential Access - Default-Brute-Force-Account-Login-Attack-FAZ

    This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

    Disabled by default

    Event Severity: Medium

    Tags: login, attack

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Login Failed 5 Times
    Log Device Type FortiAnalyzer
    Log Type Event Log
    Group By Device ID
    Log messages that match any of the following conditions: Operation Equal To login failed

    Aggregate Expression:

    COUNT >= 5

    NOT_FOLLOWED_BY, within 5m

    Login Success
    Log Device Type FortiAnalyzer
    Log Type Event Log
    Group By Device ID
    Log messages that match any of the following conditions: Operation Equal To login

    Aggregate Expression:

    COUNT >= 1

    Correlation Criteria:

    • Login Failed 5 Times devid = Login Success devid

    Credential Access - Default-Brute-Force-Account-Login-Attack-FGT

    This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

    Disabled by default

    Event Severity: Medium

    Tags: login, attack

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Login Failed 5 Times
    Log Device Type FortiGate
    Log Type Event Log > System
    Group By Device ID
    Log messages that match any of the following conditions: Log ID Equal To 0100032002

    Aggregate Expression:

    COUNT >= 5

    NOT_FOLLOWED_BY, within 5m

    Login-Success
    Log Device Type FortiGate
    Log Type Event Log > System
    Group By Device ID
    Log messages that match any of the following conditions: Log ID Equal To 0100032001

    Aggregate Expression:

    COUNT >= 1

    Correlation Criteria:

    • Login Failed 5 Times devid = Login-Success devid

    Previous
    Next

    Predefined correlation handlers

    Predefined correlation handlers

    FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

    If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

    To view predefined event handlers in the FortiAnalyzer GUI, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined. Predefined correlation handlers are named according to their use case. For example, there are predefined correlaton handlers for:

    • CnC (Command and Control)

    • Credential Access

    • Defense Evasion

    • Execution

    • Exfiltration

    • Initial Access

    • Lateral Movement

    • Persistence

    • Privilege

    The following are a small sample of FortiAnalyzer predefined correlation handlers.

    Correlation Handler

    Description

    CnC - Default-Suspicious-Traffic-From-Infected-Endpoint

    This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

    Disabled by default

    Event Severity: Medium

    Tags: CnC

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Logic Group 1

    Traffic to Botnet CnC detected or blocked in virus log
    Log Device Type FortiGate
    Log Type Antivirus
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    • Log ID Equal To 0202009248

    • Log ID Equal To 0202009249

    Aggregate Expression:

    COUNT >= 1

    OR

    Traffic to CnC detected
    Log Device Type FortiGate
    Log Type Traffic Log > Any
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    OR

    Web traffic to CnC detected
    Log Device Type FortiGate
    Log Type Web Filter
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    OR

    DNS traffic to CnC detected
    Log Device Type FortiGate
    Log Type DNS Log
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    tdtype~infected

    Aggregate Expression:

    COUNT >= 1

    FOLLOWED_BY, within 15m

    Logic Group 2

    Traffic from endpoint
    Log Device Type FortiGate
    Log Type Traffic Log > Any
    Group By Source Endpoint
    Log messages that match any of the following conditions:

    Aggregate Expression:

    SUM sentbyte >= 100 Mega Byte

    Correlation Criteria:

    • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

    • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

    • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

    • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint

    Credential Access - Default-Brute-Force-Account-Login-Attack-FAZ

    This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

    Disabled by default

    Event Severity: Medium

    Tags: login, attack

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Login Failed 5 Times
    Log Device Type FortiAnalyzer
    Log Type Event Log
    Group By Device ID
    Log messages that match any of the following conditions: Operation Equal To login failed

    Aggregate Expression:

    COUNT >= 5

    NOT_FOLLOWED_BY, within 5m

    Login Success
    Log Device Type FortiAnalyzer
    Log Type Event Log
    Group By Device ID
    Log messages that match any of the following conditions: Operation Equal To login

    Aggregate Expression:

    COUNT >= 1

    Correlation Criteria:

    • Login Failed 5 Times devid = Login Success devid

    Credential Access - Default-Brute-Force-Account-Login-Attack-FGT

    This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

    Disabled by default

    Event Severity: Medium

    Tags: login, attack

    Threshold Duration: 30 minutes

    Correlation Sequence:

    Login Failed 5 Times
    Log Device Type FortiGate
    Log Type Event Log > System
    Group By Device ID
    Log messages that match any of the following conditions: Log ID Equal To 0100032002

    Aggregate Expression:

    COUNT >= 5

    NOT_FOLLOWED_BY, within 5m

    Login-Success
    Log Device Type FortiGate
    Log Type Event Log > System
    Group By Device ID
    Log messages that match any of the following conditions: Log ID Equal To 0100032001

    Aggregate Expression:

    COUNT >= 1

    Correlation Criteria:

    • Login Failed 5 Times devid = Login-Success devid

    Previous
    Next