Creating data selectors
Data selectors are used to select devices, subnets, and filters for event handlers. You can create, edit, clone, and delete data selectors in Incidents & Events > Handlers > Data Selectors.
To assign a data selector to a basic event handler, see Creating a custom event handler.
To assign a data selector to a correlation handler, see Creating a custom correlation handler.
The filters in the data selector are applied before every rule configured in the event handler. This means the filter criteria does not need to be added individually within each rule of the event handler(s) that the data selector is assigned to. |
There are five default data selectors:
-
Default Intrusion Selector For Malicious Code Detection
-
Default IP Scanning Selector For Recon Activity Detection
-
Default Local Device Selector
-
Default Malicious File Selector For Malicious File Detection
-
Default Risky App Selector for Risky App Detection
These default data selectors are used in some of the predefined handlers, and they cannot be edited or deleted.
To create a data selector:
- Go to Incidents & Events > Handlers > Data Selectors.
- Click Create New.
The Add New Data Selector pane displays.
- Configure the following options, and click OK to save the data selector.
Option
Description
Name
Enter a name for the data selector.
Devices Select one of the following: - All Devices.
- Specify: Select the devices to include.
- Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.
For Local Device, the Log Type must be Event Log and Log Subtype must be Any.
Subnets Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events. For more information, see Subnets. Filters Click plus (+) to insert a new filter in the list. The Filter dialog displays. Configure the options and click OK to save.
To delete a filter from the list, click the x next to the filter.
Name
Enter a name for the filter.
Log Device Type
Select the device type from the dropdown.
Log Type
Select a log type from the dropdown. The log types will vary depending on the device type.
Log Subtype
Select a log subtype from the dropdown. The log subtype is not available for all device types.
Logs match
Select All or Any of the following conditions.
Click plus (+) to insert a new condition. You can insert multiple conditions.
Configure the condition(s):
Log Field: Select a log field from the dropdown.
Match Criteria: Select an operator from the dropdown.
Value: Select the event type from the dropdown.
To delete a condition, click the delete icon next to the condition.
Generic Text Filter
(Optional) Enter a filter string. For more information, see Using the Generic Text Filter.