Fortinet black logo

New Features

Home FortiAnalyzer 7.4.0 New Features
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

New predefined correlation event handlers

New predefined correlation event handlers

In 7.4.0, 33 predefined correlation event handlers have been added for nine use cases. The nine use cases include:

Use case Description

Command & Control (CnC)

To identify suspicious traffic between internal systems and external destinations.

Credential Access

To identify when credentials are compromised, indicating that an attacker may have gained access.

Defense Evasion

To identify if an endpoint is compromised.

Execution

To identify if any malware is downloaded and executed.

Exfiltration

To identify any data leaks in the network.

Initial Access

To identify any suspicious activities after a new user gained access.

Lateral Movement

To identify if there is any advancement from the attacker on a already compromised network.

Persistence

To identify when an attacker maintains unauthorized access and performs malicious activities.

Privilege Escalation

To identify if an attacker tries to get access over sensitive information.

To view the predefined correlation event handlers, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined and deselect Show Custom. The related use case is included in the name of the predefined correlation event handler.

Correlation event handler Description
CnC - Botnet CnC Communication Detected

Botnet communication detected and multiple TXT type DNS request detected which is a way of hiding the communication to botnet and carry commands from the botnet. This is strong indication there is a botnet attack event.
CnC - Default Access To A Suspicious Domain After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint get blocked for many times shortly followed by access to a suspicious domain from that endpoint may indicate the endpoint is compromised.

CnC - Default Incoming Botnet CnC Communication Callback Detected

Incoming Botnet communication detected followed by multiple TXT type DNS request which is a way to hide the Command and Control communication to the botnet. This may indicate the endpoint is trying to send the message to the botnet to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Intrusion Detected After SSH Command Block For Many Times

A user try to SSH from FortiGate to another device but failed for many times followed by intrusion detected from the endpoint the user tries to access to. This may indicate the user has gained access to the endpoint and trigger the intrusion.

CnC - Default Outgoing Botnet CnC Communication Callback Detected

Outgoing Botnet communication detected followed by multiple TXT type DNS request which is a way to hide the Command and Control communication to the botnet. This may indicate the endpoint is trying to send the message to the botnet to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Risky App Detected After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint gets blocked many times shortly followed by risky app detected from that endpoint, which may indicate the endpoint is compromised.

CnC - Default Suspicious Traffic from Infected Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.
Credential Access - Default Brute Force Account Login Attack FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Credential Access - Default Brute Force Account Login Attack FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Credential Access - Default Credentials Were Read After Special Privileges Assigned

Privileges assigned to a user shortly followed by credentials were read may indicate the user is suspicious.

Defense Evasion - Default Access To A Suspicious Domain After Malware Downloaded

Access to a suspicious domain after attempted to download malware but blocked for many times which may indicated the malware is penetrated the defense and the device is compromised.

Defense Evasion - Default Access To A Suspicious Domain After Risky App Detected

High/Critical risk App detected followed by connection to a new registered domain may indicate the risky app is trying to talk to a botnet server which require attention.

Defense Evasion - Default Attack Event Detected After Malware Downloaded

Malware download detected followed by an attack event may indicate the endpoint is compromised by the malware.

Defense Evasion - Default Communication To Botnet Detected After Malware Detected

Malware download detected followed by multiple TXT type DNS request which is a way of hiding the communication to botnet and carry commands from the botnet. This may indicate the endpoint is being controlled.

Defense Evasion - Default Intrusion Detected After KERBEROS Traffic Violation

KERBEROS traffic violation followed by intrusion detected may indicated the unwanted user gain access to the endpoint by KERBEROS.

Defense Evasion - Default Intrusion Detected After Malware Detected

Malware download blocked for many times followed by intrusion detected. This may indicate the malware is penetrated the defense and the endpoint is compromised.

Defense Evasion - Default Intrusion Detected After Risky App Detected

High/Critical risk App detected followed by intrusion detected may indicate the risky app triggered the intrusion.

Defense Evasion - Default SUNBURST Domain Traffic Detected After Malware Downloaded

SUNBURST Domain Traffic Detected after malware download attempt blocked multiple times. This event may indicate the malware escaped and executed to communicate with SUNBURST Command and Control servers.

Execution - Default Malware Downloaded And Execution Detected

User attempted to download malware on their endpoint for many times followed by detecting high or critical risk app on FortiGate application control log may indicate the user bypassed the security and downloaded the malware, and then executed the malware or infected software.

Exfiltration - Default Data Leak Detected After Risky App Detected

High/Critical risk App detected followed by data leak detected may indicate the endpoint is compromised.

Exfiltration - Default Data Leak Detected After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint get blocked for many times shortly followed by data leak from that endpoint may indicate the endpoint is compromised.

Initial Access - Default Kernel Module Removed After A New User Access to The Linux via Shell

A new user access to the Linux via shell followed by the kernel module is removed may indicate the new user is suspicious.

Initial Access - Default Syslog Logging Service Deactivated After A New User Access To The Linux via Shell

Potential shell access via web server or new user access to the Ubuntu shell followed by syslog logging service disabled may indicate the unwanted user has gained the access to the endpoint and disabled the syslog logging service.

Lateral Movement - Default Access To A Suspicious Domain On A Device with Vulnerability

Access to a suspicious domain on a device with vulnerability, which may indicate the device is compromised.

Lateral Movement - Default Data Leak Found On A Device with Vulnerability

Data Leak Found On a Device with Vulnerability may indicate the device is compromised.

Lateral Movement - Default Virus Detected On A Device with Vulnerability

Virus detected on a device with vulnerability may indicate it is compromised; need not only remove the virus, but also fix the vulnerability.

Lateral Movement - Default Vulnerability And Intrusion Detected

Vulnerability detected by FCT and intrusion detected. Both event happened on an endpoint may indicate the endpoint is compromised.

Persistence - Default Firewall Service Deactivated After Authentication Failed For Many Times

Authentication failed for many times followed by firewall service deactivated may indicate the unwanted user has gained the access to the endpoint and disabled the firewall service.

Persistence - Default Kernel Module Removed After Authentication Failed For Many Times

Authentication failed for many times followed by kernel module removed may indicate the unwanted user has gained the access to the endpoint and removed the kernel module.

Persistence - Default Syslog Logging Service Deactivated After Authentication Failed For Many Times

Authentication failed for many times followed by syslog logging service deactivated may indicate the unwanted user has gained the access to the endpoint and disabled the logging service.

Privilege Escalation - Default Firewall Disabled After Special Privileges Assigned to New Logon

Firewall disabled after special privileges assigned to new logon may indicate this new logon user is suspicious.

Privilege Escalation - Default Windows Event Logging Service Is Down Or Log Is Cleared After Privileges Assigned

Privileges assigned to a user shortly followed by event logging server is down or log is cleared may indicate the user is suspicious.

Privilege Escalation - Default Windows System Time Was Changed After Privileges Assigned To A New Logon

Privileges assigned to a new logon followed by windows system time was changed may indicate this is a time travel attack. For example, setting the clock back on a client to a previous point in time could cause the system to accept rogue Transport Layer Security (TLS) certificates that may have been already revoked, thereby giving attackers a way to decrypt encrypted communications.

To edit a predefined correlation event handler, select it and click Edit. You can enable or disable these handlers according to your needs. You can also include a data selector or notification profile where appropriate. For more information about editing a correlation event handler, see Creating a custom correlation handler in the FortiAnalyzer Administration Guide.

In the Edit Correlation Event Handler pane, you can review the description of the handler as well as the correlation sequence and criteria.

When these predefined correlation event handlers are enabled, incoming logs that satisfy the correlation sequence will trigger events. To view the triggered events, click the event count in the Events column.

Previous
Next

New predefined correlation event handlers

In 7.4.0, 33 predefined correlation event handlers have been added for nine use cases. The nine use cases include:

Use case Description

Command & Control (CnC)

To identify suspicious traffic between internal systems and external destinations.

Credential Access

To identify when credentials are compromised, indicating that an attacker may have gained access.

Defense Evasion

To identify if an endpoint is compromised.

Execution

To identify if any malware is downloaded and executed.

Exfiltration

To identify any data leaks in the network.

Initial Access

To identify any suspicious activities after a new user gained access.

Lateral Movement

To identify if there is any advancement from the attacker on a already compromised network.

Persistence

To identify when an attacker maintains unauthorized access and performs malicious activities.

Privilege Escalation

To identify if an attacker tries to get access over sensitive information.

To view the predefined correlation event handlers, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined and deselect Show Custom. The related use case is included in the name of the predefined correlation event handler.

Correlation event handler Description
CnC - Botnet CnC Communication Detected

Botnet communication detected and multiple TXT type DNS request detected which is a way of hiding the communication to botnet and carry commands from the botnet. This is strong indication there is a botnet attack event.
CnC - Default Access To A Suspicious Domain After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint get blocked for many times shortly followed by access to a suspicious domain from that endpoint may indicate the endpoint is compromised.

CnC - Default Incoming Botnet CnC Communication Callback Detected

Incoming Botnet communication detected followed by multiple TXT type DNS request which is a way to hide the Command and Control communication to the botnet. This may indicate the endpoint is trying to send the message to the botnet to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Intrusion Detected After SSH Command Block For Many Times

A user try to SSH from FortiGate to another device but failed for many times followed by intrusion detected from the endpoint the user tries to access to. This may indicate the user has gained access to the endpoint and trigger the intrusion.

CnC - Default Outgoing Botnet CnC Communication Callback Detected

Outgoing Botnet communication detected followed by multiple TXT type DNS request which is a way to hide the Command and Control communication to the botnet. This may indicate the endpoint is trying to send the message to the botnet to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Risky App Detected After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint gets blocked many times shortly followed by risky app detected from that endpoint, which may indicate the endpoint is compromised.

CnC - Default Suspicious Traffic from Infected Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.
Credential Access - Default Brute Force Account Login Attack FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Credential Access - Default Brute Force Account Login Attack FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Credential Access - Default Credentials Were Read After Special Privileges Assigned

Privileges assigned to a user shortly followed by credentials were read may indicate the user is suspicious.

Defense Evasion - Default Access To A Suspicious Domain After Malware Downloaded

Access to a suspicious domain after attempted to download malware but blocked for many times which may indicated the malware is penetrated the defense and the device is compromised.

Defense Evasion - Default Access To A Suspicious Domain After Risky App Detected

High/Critical risk App detected followed by connection to a new registered domain may indicate the risky app is trying to talk to a botnet server which require attention.

Defense Evasion - Default Attack Event Detected After Malware Downloaded

Malware download detected followed by an attack event may indicate the endpoint is compromised by the malware.

Defense Evasion - Default Communication To Botnet Detected After Malware Detected

Malware download detected followed by multiple TXT type DNS request which is a way of hiding the communication to botnet and carry commands from the botnet. This may indicate the endpoint is being controlled.

Defense Evasion - Default Intrusion Detected After KERBEROS Traffic Violation

KERBEROS traffic violation followed by intrusion detected may indicated the unwanted user gain access to the endpoint by KERBEROS.

Defense Evasion - Default Intrusion Detected After Malware Detected

Malware download blocked for many times followed by intrusion detected. This may indicate the malware is penetrated the defense and the endpoint is compromised.

Defense Evasion - Default Intrusion Detected After Risky App Detected

High/Critical risk App detected followed by intrusion detected may indicate the risky app triggered the intrusion.

Defense Evasion - Default SUNBURST Domain Traffic Detected After Malware Downloaded

SUNBURST Domain Traffic Detected after malware download attempt blocked multiple times. This event may indicate the malware escaped and executed to communicate with SUNBURST Command and Control servers.

Execution - Default Malware Downloaded And Execution Detected

User attempted to download malware on their endpoint for many times followed by detecting high or critical risk app on FortiGate application control log may indicate the user bypassed the security and downloaded the malware, and then executed the malware or infected software.

Exfiltration - Default Data Leak Detected After Risky App Detected

High/Critical risk App detected followed by data leak detected may indicate the endpoint is compromised.

Exfiltration - Default Data Leak Detected After SSH Command Block For Many Times

A user tries to SSH from FortiGate to an endpoint get blocked for many times shortly followed by data leak from that endpoint may indicate the endpoint is compromised.

Initial Access - Default Kernel Module Removed After A New User Access to The Linux via Shell

A new user access to the Linux via shell followed by the kernel module is removed may indicate the new user is suspicious.

Initial Access - Default Syslog Logging Service Deactivated After A New User Access To The Linux via Shell

Potential shell access via web server or new user access to the Ubuntu shell followed by syslog logging service disabled may indicate the unwanted user has gained the access to the endpoint and disabled the syslog logging service.

Lateral Movement - Default Access To A Suspicious Domain On A Device with Vulnerability

Access to a suspicious domain on a device with vulnerability, which may indicate the device is compromised.

Lateral Movement - Default Data Leak Found On A Device with Vulnerability

Data Leak Found On a Device with Vulnerability may indicate the device is compromised.

Lateral Movement - Default Virus Detected On A Device with Vulnerability

Virus detected on a device with vulnerability may indicate it is compromised; need not only remove the virus, but also fix the vulnerability.

Lateral Movement - Default Vulnerability And Intrusion Detected

Vulnerability detected by FCT and intrusion detected. Both event happened on an endpoint may indicate the endpoint is compromised.

Persistence - Default Firewall Service Deactivated After Authentication Failed For Many Times

Authentication failed for many times followed by firewall service deactivated may indicate the unwanted user has gained the access to the endpoint and disabled the firewall service.

Persistence - Default Kernel Module Removed After Authentication Failed For Many Times

Authentication failed for many times followed by kernel module removed may indicate the unwanted user has gained the access to the endpoint and removed the kernel module.

Persistence - Default Syslog Logging Service Deactivated After Authentication Failed For Many Times

Authentication failed for many times followed by syslog logging service deactivated may indicate the unwanted user has gained the access to the endpoint and disabled the logging service.

Privilege Escalation - Default Firewall Disabled After Special Privileges Assigned to New Logon

Firewall disabled after special privileges assigned to new logon may indicate this new logon user is suspicious.

Privilege Escalation - Default Windows Event Logging Service Is Down Or Log Is Cleared After Privileges Assigned

Privileges assigned to a user shortly followed by event logging server is down or log is cleared may indicate the user is suspicious.

Privilege Escalation - Default Windows System Time Was Changed After Privileges Assigned To A New Logon

Privileges assigned to a new logon followed by windows system time was changed may indicate this is a time travel attack. For example, setting the clock back on a client to a previous point in time could cause the system to accept rogue Transport Layer Security (TLS) certificates that may have been already revoked, thereby giving attackers a way to decrypt encrypted communications.

To edit a predefined correlation event handler, select it and click Edit. You can enable or disable these handlers according to your needs. You can also include a data selector or notification profile where appropriate. For more information about editing a correlation event handler, see Creating a custom correlation handler in the FortiAnalyzer Administration Guide.

In the Edit Correlation Event Handler pane, you can review the description of the handler as well as the correlation sequence and criteria.

When these predefined correlation event handlers are enabled, incoming logs that satisfy the correlation sequence will trigger events. To view the triggered events, click the event count in the Events column.

Previous
Next