Fortinet black logo

Administration Guide

Home FortiAnalyzer 7.4.2 Administration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.0
4.2.0
4.1.0
4.0.0

Creating a custom correlation handler

Creating a custom correlation handler

You can create a custom correlation handler from scratch or clone a predefined correlation handler and customize its settings. See Cloning event handlers.

Configuring an correlation handler includes defining the following main sections in the GUI:

Option

Description

Correlation event handler attributes

The name, description, data selector, MITRE techniques, and automation stitch for the correlation handler.

This section also includes the threshold duration for the handler.

Correlation Sequence

The rules for event generation in sequence and logic group.

  1. Choose Your Logs: Start by selecting the device and log type that you want to monitor for events. Choose log fields to categorize logs into smaller groups.

  2. Refine Your Logs: Once logs are grouped, you can refine the data within each group by applying filters with other log fields. Logs that match the filters will be retained within each group.

  3. Define Event Conditions: Once you've organized and filtered the logs, set up criteria that enables the system to automatically initiate events when log records reoccur within each group.

Correlation Criteria

The correlation criteria to specify the type of logs that the event handler will look for. The criteria is applied to two rules on a field from each rule.

Handler Settings

The event fields, including the event type override, event message, event status, event severity, indicators, and tags.

This section also includes the notification profile for the correlation handler.

To create a new correlation event handler:
  1. Go to Incidents & Events > Handlers > Correlation Handlers.
  2. In the toolbar, click Create New.

    The Add New Correlation Event Handler pane displays.

  3. Configure the following options, and click OK to save the correlation event handler.

    Option

    Description

    Status

    Enable or disable the event handler.

    Enabled event handlers show a icon in the Status column. Disabled event handlers show a icon in the Status column.

    Name

    Enter a name for the event handler.

    Description

    (Optional) Enter a description for the event handler.

    MITRE Domain

    If applicable, select the MITRE ATT&CK domain that the event handler will help to cover. For more information, see MITRE ATT&CK®.

    MITRE Tech ID

    Select the MITRE ATT&CK technique ID(s) that the event handler provides coverage for.

    Automation Stitch

    Enable or disable automation stitch.

    When enabled, FortiAnalyzer sends a notification to FortiGate when events are generated by the event handler. The events are available in the FortiAnalyzer GUI as well. For more information, see Using the Automation Stitch for event handlers.

    Data Selector

    Select a data selector for the event handler.

    This selects devices, subnets, and filters used for the event handler. See Creating data selectors.

    Threshold Duration

    Enter the threshold duration for the correlation handler in minutes.

    The logs must match the criteria in correlation sequence within this time to generate an event.

    Correlation Sequence

    Add Rule

    Click the plus icon (+) to add a rule. The Add New Rule pane displays. Configure the options below and click OK to save the rule.

    After creating the rules, make sure they are in the correct correlation sequence. You can drag and drop the rules to re-order them, if needed.

    Select the correlation between each of the rules:

    • AND
    • AND_NOT
    • OR
    • FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
    • NOT_FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)

    The rules must be met in the correlation sequence for the event handler to generate an event.

    Click the trash icon to delete a rule.

    Name

    Enter a name for the rule.

    Choose Your Logs

    Log Device Type

    If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.

    The Fabric log device type can be used to generate alerts from SIEM logs when SIEM logs are available.

    Log Type

    Select the log type from the dropdown list.

    When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

    Log Subtype

    Select the category of event that this event handler monitors. The available options depend on the platform type.

    This option is only available when the Log Type has a subtype. For example, Event Log and Traffic Log have log subtypes which can be selected from the dropdown.

    Log Field

    Select the log fields for the system to categorize logs into smaller groups.

    For example, consider the scenario where the Log Field is set using Source IP (srcip). When log entries are recorded with source IPs such as 192.168.1.1, 192.168.1.2, and 192.168.1.3, the system will categorize these logs into distinct groups:

    • Group 1: Logs with the source IP 192.168.1.1

    • Group 2: Logs with the source IP 192.168.1.2

    • Group 3: Logs with the source IP 192.168.1.3

    This grouping mechanism allows analysis of log data based on the specified source IP addresses.

    Log Filters

    Select All or Any of the following conditions.

    Configure the condition(s):

    • Log Field: Select a log field from the dropdown.
      After the log device and log type are selected, the Log Field dropdown list will only include log fields that belong to the specified log type. For example, the Botnet IP log field is available when the Log Type is DNS, but not available when the Log Type is Event Log.

    • Match Criteria: Select an operator from the dropdown. The available options depends on the selected log field.
      Some log fields, such as Source Port, will provide a variety of operators in the dropdown list, such as Equal To, Not Equal To, Greater Than or Equal To, Less Than or Equal To, Greater Than, and Less Than.
      Other log fields, such as Log Description, will be limited to Equal To and Not Equal To.

    • Value: Select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
      If there is no dropdown list provided by FortiAnalyzer, you must manually enter a value to find in the raw log.
      If a dropdown list is provided, you can select a value from the list. For some log fields, such as Level, the dropdown list also allows you to enter a custom value. If there is no textbox to enter a custom value in the dropdown list, you must use the Generic Text Filter instead.

    In the Action column, click plus (+) to insert a new filter below. You can insert multiple filters. To delete a filter, click the x next to the filter.

    Generic Text Filter

    Enter a generic text filter. See Using the Generic Text Filter.

    For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

    Define Event Conditions

    Trigger an event when:

    Select the radio button for one of the following options and configure the criteria:

    • A group contains <integer> or more log occurences

    • Within a group, the log field <log field> has <integer> or more unique values

      • Click the toggle icon to change to "[...] has fewer than <integer> unique values"

    • The sum of <measure> is greater than or equal to <integer>

    Note

    The "sum" option is used for data exfiltration detection. This option is only supported in Fabric ADOMs.

    Add Logic Group

    Click the folder icon to add a logic group.

    You must select a correlation between groups (AND, AND_NOT, OR, FOLLOWED_BY, or NOT_FOLLOWED_BY). All groups must be met in correlation sequence for the correlation event handler to generate an event.

    Click the trash icon to delete a logic group.

    Show Raw Config

    Enable to display the raw config of the correlation sequence.

    Edits made to the raw config will appear above in the correlation sequence fields. If there is an error in the text, the fields will not display and you will not be able to save the changes.

    Correlation Criteria

    Specify the fields that the event handler will look for to correlate the rules. Each correlation criteria is applied to two rules, using a field from each rule.

    Configure the following options for each correlation criteria:

    • Rule: Select two rules to create a correlation criteria for.

    • Field: Select a field for each rule in the correlation criteria. The fields available in the dropdown are determined by the Group By field in the rule.

    • Match Criteria: Select an operator from the dropdown. The available options depends on the selected fields.

    Use the buttons in the Action column to add (+) or remove (x) correlation criteria.

    Handler Settings

    Event Type Override

    Specify a custom event type, or leave this field blank to use the default value.

    Event Message

    (Optional) Enter a custom event message.

    By default, Group by key-value pair(s) will be displayed as the event message in Event Monitor.

    Examples:

    • Virus:JS/Runfile.B!tr

    • Endpoint:172.17.58.118 Virus:BlackMoon

    You can customize event messages by using Group By variables: $groupby1 and $groupby2

    Examples:

    • Virus $groupby1 found in traffic

    • Endpoint $groupby1 infected with virus $groupby2

    Event Status

    Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, (Blank). You can use a custom event status by clicking the plus (+) that appears in the Event Status dropdown.

    Event statuses, including custom statuses, are displayed in the Event Status column in the Event Monitor.

    Event Severity

    Select the severity from the dropdown list: Critical, High, Medium, or Low.

    Tags

    (Optional) Enter custom tags.

    Tags can be used as a filter when using default or custom views.

    Indicators

    (Optional) Add indicators by clicking the plus (+). You can configure the Log Field, Indicator Type, and Count for each indicator created in an event handler. Use the buttons in the Action column to add (+) or remove (x) indicators. Up to five indicators can be created.

    When Indicators is selected in Event Monitor > Display Options, the Indicators column displays indicator types for detected events. You can see additional details when clicking on an indicator. See Event Monitor

    If an incident is raised from an event that includes indicators, they can be viewed in the Indicators tab of the incident analysis page. See Analyzing an incident.

    Additional Info

    Specify what to show in the Additional Info column of the Event Monitor.

    Select Use system default or Use custom message. A custom message can include variables and log field names. For more information, hover over the help icon.

    Notifications

    Select a notification profile for the event handler. See Creating notification profiles.

Previous
Next

Creating a custom correlation handler

You can create a custom correlation handler from scratch or clone a predefined correlation handler and customize its settings. See Cloning event handlers.

Configuring an correlation handler includes defining the following main sections in the GUI:

Option

Description

Correlation event handler attributes

The name, description, data selector, MITRE techniques, and automation stitch for the correlation handler.

This section also includes the threshold duration for the handler.

Correlation Sequence

The rules for event generation in sequence and logic group.

  1. Choose Your Logs: Start by selecting the device and log type that you want to monitor for events. Choose log fields to categorize logs into smaller groups.

  2. Refine Your Logs: Once logs are grouped, you can refine the data within each group by applying filters with other log fields. Logs that match the filters will be retained within each group.

  3. Define Event Conditions: Once you've organized and filtered the logs, set up criteria that enables the system to automatically initiate events when log records reoccur within each group.

Correlation Criteria

The correlation criteria to specify the type of logs that the event handler will look for. The criteria is applied to two rules on a field from each rule.

Handler Settings

The event fields, including the event type override, event message, event status, event severity, indicators, and tags.

This section also includes the notification profile for the correlation handler.

To create a new correlation event handler:
  1. Go to Incidents & Events > Handlers > Correlation Handlers.
  2. In the toolbar, click Create New.

    The Add New Correlation Event Handler pane displays.

  3. Configure the following options, and click OK to save the correlation event handler.

    Option

    Description

    Status

    Enable or disable the event handler.

    Enabled event handlers show a icon in the Status column. Disabled event handlers show a icon in the Status column.

    Name

    Enter a name for the event handler.

    Description

    (Optional) Enter a description for the event handler.

    MITRE Domain

    If applicable, select the MITRE ATT&CK domain that the event handler will help to cover. For more information, see MITRE ATT&CK®.

    MITRE Tech ID

    Select the MITRE ATT&CK technique ID(s) that the event handler provides coverage for.

    Automation Stitch

    Enable or disable automation stitch.

    When enabled, FortiAnalyzer sends a notification to FortiGate when events are generated by the event handler. The events are available in the FortiAnalyzer GUI as well. For more information, see Using the Automation Stitch for event handlers.

    Data Selector

    Select a data selector for the event handler.

    This selects devices, subnets, and filters used for the event handler. See Creating data selectors.

    Threshold Duration

    Enter the threshold duration for the correlation handler in minutes.

    The logs must match the criteria in correlation sequence within this time to generate an event.

    Correlation Sequence

    Add Rule

    Click the plus icon (+) to add a rule. The Add New Rule pane displays. Configure the options below and click OK to save the rule.

    After creating the rules, make sure they are in the correct correlation sequence. You can drag and drop the rules to re-order them, if needed.

    Select the correlation between each of the rules:

    • AND
    • AND_NOT
    • OR
    • FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
    • NOT_FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)

    The rules must be met in the correlation sequence for the event handler to generate an event.

    Click the trash icon to delete a rule.

    Name

    Enter a name for the rule.

    Choose Your Logs

    Log Device Type

    If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.

    The Fabric log device type can be used to generate alerts from SIEM logs when SIEM logs are available.

    Log Type

    Select the log type from the dropdown list.

    When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

    Log Subtype

    Select the category of event that this event handler monitors. The available options depend on the platform type.

    This option is only available when the Log Type has a subtype. For example, Event Log and Traffic Log have log subtypes which can be selected from the dropdown.

    Log Field

    Select the log fields for the system to categorize logs into smaller groups.

    For example, consider the scenario where the Log Field is set using Source IP (srcip). When log entries are recorded with source IPs such as 192.168.1.1, 192.168.1.2, and 192.168.1.3, the system will categorize these logs into distinct groups:

    • Group 1: Logs with the source IP 192.168.1.1

    • Group 2: Logs with the source IP 192.168.1.2

    • Group 3: Logs with the source IP 192.168.1.3

    This grouping mechanism allows analysis of log data based on the specified source IP addresses.

    Log Filters

    Select All or Any of the following conditions.

    Configure the condition(s):

    • Log Field: Select a log field from the dropdown.
      After the log device and log type are selected, the Log Field dropdown list will only include log fields that belong to the specified log type. For example, the Botnet IP log field is available when the Log Type is DNS, but not available when the Log Type is Event Log.

    • Match Criteria: Select an operator from the dropdown. The available options depends on the selected log field.
      Some log fields, such as Source Port, will provide a variety of operators in the dropdown list, such as Equal To, Not Equal To, Greater Than or Equal To, Less Than or Equal To, Greater Than, and Less Than.
      Other log fields, such as Log Description, will be limited to Equal To and Not Equal To.

    • Value: Select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
      If there is no dropdown list provided by FortiAnalyzer, you must manually enter a value to find in the raw log.
      If a dropdown list is provided, you can select a value from the list. For some log fields, such as Level, the dropdown list also allows you to enter a custom value. If there is no textbox to enter a custom value in the dropdown list, you must use the Generic Text Filter instead.

    In the Action column, click plus (+) to insert a new filter below. You can insert multiple filters. To delete a filter, click the x next to the filter.

    Generic Text Filter

    Enter a generic text filter. See Using the Generic Text Filter.

    For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

    Define Event Conditions

    Trigger an event when:

    Select the radio button for one of the following options and configure the criteria:

    • A group contains <integer> or more log occurences

    • Within a group, the log field <log field> has <integer> or more unique values

      • Click the toggle icon to change to "[...] has fewer than <integer> unique values"

    • The sum of <measure> is greater than or equal to <integer>

    Note

    The "sum" option is used for data exfiltration detection. This option is only supported in Fabric ADOMs.

    Add Logic Group

    Click the folder icon to add a logic group.

    You must select a correlation between groups (AND, AND_NOT, OR, FOLLOWED_BY, or NOT_FOLLOWED_BY). All groups must be met in correlation sequence for the correlation event handler to generate an event.

    Click the trash icon to delete a logic group.

    Show Raw Config

    Enable to display the raw config of the correlation sequence.

    Edits made to the raw config will appear above in the correlation sequence fields. If there is an error in the text, the fields will not display and you will not be able to save the changes.

    Correlation Criteria

    Specify the fields that the event handler will look for to correlate the rules. Each correlation criteria is applied to two rules, using a field from each rule.

    Configure the following options for each correlation criteria:

    • Rule: Select two rules to create a correlation criteria for.

    • Field: Select a field for each rule in the correlation criteria. The fields available in the dropdown are determined by the Group By field in the rule.

    • Match Criteria: Select an operator from the dropdown. The available options depends on the selected fields.

    Use the buttons in the Action column to add (+) or remove (x) correlation criteria.

    Handler Settings

    Event Type Override

    Specify a custom event type, or leave this field blank to use the default value.

    Event Message

    (Optional) Enter a custom event message.

    By default, Group by key-value pair(s) will be displayed as the event message in Event Monitor.

    Examples:

    • Virus:JS/Runfile.B!tr

    • Endpoint:172.17.58.118 Virus:BlackMoon

    You can customize event messages by using Group By variables: $groupby1 and $groupby2

    Examples:

    • Virus $groupby1 found in traffic

    • Endpoint $groupby1 infected with virus $groupby2

    Event Status

    Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, (Blank). You can use a custom event status by clicking the plus (+) that appears in the Event Status dropdown.

    Event statuses, including custom statuses, are displayed in the Event Status column in the Event Monitor.

    Event Severity

    Select the severity from the dropdown list: Critical, High, Medium, or Low.

    Tags

    (Optional) Enter custom tags.

    Tags can be used as a filter when using default or custom views.

    Indicators

    (Optional) Add indicators by clicking the plus (+). You can configure the Log Field, Indicator Type, and Count for each indicator created in an event handler. Use the buttons in the Action column to add (+) or remove (x) indicators. Up to five indicators can be created.

    When Indicators is selected in Event Monitor > Display Options, the Indicators column displays indicator types for detected events. You can see additional details when clicking on an indicator. See Event Monitor

    If an incident is raised from an event that includes indicators, they can be viewed in the Indicators tab of the incident analysis page. See Analyzing an incident.

    Additional Info

    Specify what to show in the Additional Info column of the Event Monitor.

    Select Use system default or Use custom message. A custom message can include variables and log field names. For more information, hover over the help icon.

    Notifications

    Select a notification profile for the event handler. See Creating notification profiles.

Previous
Next