Fortinet white logo
Fortinet white logo

Administration Guide

Predefined correlation handlers

Predefined correlation handlers

FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

To view predefined event handlers in the FortiAnalyzer GUI, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined. Predefined correlation handlers are named according to their use case. For example, there are predefined correlaton handlers for:

  • CnC (Command and Control)

  • Credential Access

  • Defense Evasion

  • Execution

  • Exfiltration

  • Initial Access

  • Lateral Movement

  • Persistence

  • Privilege

The following are a small sample of FortiAnalyzer predefined correlation handlers.

Correlation Handler

Description

CnC - Default-Suspicious-Traffic-From-Infected-Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

Disabled by default

Event Severity: Medium

Tags: CnC

Threshold Duration: 30 minutes

Correlation Sequence:

Logic Group 1

Traffic to Botnet CnC detected or blocked in virus log
Log Device Type FortiGate
Log Type Antivirus
Log Field Source Endpoint
Log messages that match any of the following conditions:
  • Log ID Equal To 0202009248

  • Log ID Equal To 0202009249

Trigger an event when:

A group contains 1 or more log occurences

OR

Traffic to CnC detected
Log Device Type FortiGate
Log Type Traffic Log > Any
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

OR

Web traffic to CnC detected
Log Device Type FortiGate
Log Type Web Filter
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

OR

DNS traffic to CnC detected
Log Device Type FortiGate
Log Type DNS Log
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

FOLLOWED_BY, within 15m

Logic Group 2

Traffic from endpoint
Log Device Type FortiGate
Log Type Traffic Log > Any
Log Field Source Endpoint
Log messages that match any of the following conditions:

Trigger an event when:

The sum of sentbyte is greater than or equal to 100 Mega Byte

Correlation Criteria:

  • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

  • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

  • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

  • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint

Credential Access - Default-Brute-Force-Account-Login-Attack-FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiAnalyzer
Log Type Event Log
Log Field Device ID
Log messages that match any of the following conditions: Operation Equal To login failed

Trigger an event when:

A group contains 5 or more log occurences

NOT_FOLLOWED_BY, within 5m

Login Success
Log Device Type FortiAnalyzer
Log Type Event Log
Log Field Device ID
Log messages that match any of the following conditions: Operation Equal To login

Trigger an event when:

A group contains 1 or more log occurences

Correlation Criteria:

  • Login Failed 5 Times devid = Login Success devid

Credential Access - Default-Brute-Force-Account-Login-Attack-FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiGate
Log Type Event Log > System
Log Field Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032002

Trigger an event when:

A group contains 5 or more log occurences

NOT_FOLLOWED_BY, within 5m

Login-Success
Log Device Type FortiGate
Log Type Event Log > System
Log Field Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032001

Trigger an event when:

A group contains 1 or more log occurences

Correlation Criteria:

  • Login Failed 5 Times devid = Login-Success devid

Predefined correlation handlers

Predefined correlation handlers

FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

To view predefined event handlers in the FortiAnalyzer GUI, go to Incidents & Events > Handlers > Correlation Handlers. From the More dropdown, select Show Predefined. Predefined correlation handlers are named according to their use case. For example, there are predefined correlaton handlers for:

  • CnC (Command and Control)

  • Credential Access

  • Defense Evasion

  • Execution

  • Exfiltration

  • Initial Access

  • Lateral Movement

  • Persistence

  • Privilege

The following are a small sample of FortiAnalyzer predefined correlation handlers.

Correlation Handler

Description

CnC - Default-Suspicious-Traffic-From-Infected-Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

Disabled by default

Event Severity: Medium

Tags: CnC

Threshold Duration: 30 minutes

Correlation Sequence:

Logic Group 1

Traffic to Botnet CnC detected or blocked in virus log
Log Device Type FortiGate
Log Type Antivirus
Log Field Source Endpoint
Log messages that match any of the following conditions:
  • Log ID Equal To 0202009248

  • Log ID Equal To 0202009249

Trigger an event when:

A group contains 1 or more log occurences

OR

Traffic to CnC detected
Log Device Type FortiGate
Log Type Traffic Log > Any
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

OR

Web traffic to CnC detected
Log Device Type FortiGate
Log Type Web Filter
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

OR

DNS traffic to CnC detected
Log Device Type FortiGate
Log Type DNS Log
Log Field Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Trigger an event when:

A group contains 1 or more log occurences

FOLLOWED_BY, within 15m

Logic Group 2

Traffic from endpoint
Log Device Type FortiGate
Log Type Traffic Log > Any
Log Field Source Endpoint
Log messages that match any of the following conditions:

Trigger an event when:

The sum of sentbyte is greater than or equal to 100 Mega Byte

Correlation Criteria:

  • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

  • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

  • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

  • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint

Credential Access - Default-Brute-Force-Account-Login-Attack-FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiAnalyzer
Log Type Event Log
Log Field Device ID
Log messages that match any of the following conditions: Operation Equal To login failed

Trigger an event when:

A group contains 5 or more log occurences

NOT_FOLLOWED_BY, within 5m

Login Success
Log Device Type FortiAnalyzer
Log Type Event Log
Log Field Device ID
Log messages that match any of the following conditions: Operation Equal To login

Trigger an event when:

A group contains 1 or more log occurences

Correlation Criteria:

  • Login Failed 5 Times devid = Login Success devid

Credential Access - Default-Brute-Force-Account-Login-Attack-FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiGate
Log Type Event Log > System
Log Field Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032002

Trigger an event when:

A group contains 5 or more log occurences

NOT_FOLLOWED_BY, within 5m

Login-Success
Log Device Type FortiGate
Log Type Event Log > System
Log Field Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032001

Trigger an event when:

A group contains 1 or more log occurences

Correlation Criteria:

  • Login Failed 5 Times devid = Login-Success devid