Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.3 Administration Guide
    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    MS Exchange Server event handlers

    MS Exchange Server event handlers

    The predefined Windows Event Log Parser parses MS Exchange Server logs into the SIEM database. You can identify these Fabric logs by the Host OS Family in Log View. These logs are required for the event handlers used in the examples in this topic.

    For example, see below where the Host OS Family is MS Exchange.

    The following predefined event handlers are available to detect suspicious activities in the MS Exchange Server:

    The following topology is used for the examples below.

    MS Exchange - Large Email

    MS Exchange - Large Email is a basic event handler that uses MS Exchange Server logs to detect large email attachments (greater than 10485760 net sent bytes) being transported in the Microsoft Exchange Server.

    This event handler uses the predefined data selector Default Microsoft Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    Rule details:

    Rule

    Description

    Large Email Attachment Detected

    Triggers an event when a large email attachment (greater than 10485760 net sent bytes) is being transported in the Microsoft Exchange Server.

    Event Severity: Medium

    Log Field: Mail From, Host Name

    Logs that match all of the following filters:

    • Net Sent Bytes (net_sentbytes) > 10485760

    Event Message: Large email attachment from $groupby1

    Tags: MSExchange, Exfiltration

    Additional Info: From: ${groupby1}, Server: ${groupby2}

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. In this example, there was 14688987 net sent bytes transported in the Microsoft Exchange Server which triggered the event.

    MS Exchange - Multiple Failed Deliveries

    MS Exchange - Multiple Failed Deliveries is a basic event handler that uses MS Exchange Server logs to detect repeated delivery failures, including bounced messages, to the same recipient that exceeds a threshold. These events indicate potential issues with the recipient address or sender configuration.

    This event handler uses the predefined data selector Default Microsoft Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    Rule details:

    Rule

    Description

    Large Email Attachment Detected

    Triggers an event when there are five or more failed or bounced deliveries in the MS Exchange Server within one hour.

    Event Severity: Medium

    Log Field: Mail From, Event Outcome

    Log Filter by Text: 

    event_outcome='FAIL' or event_outcome='DSN'

    Event Message: Delivery from $groupby1 resulted in $groupby2 outcome

    Tags: MSExchange

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. An email delivery is indicated as FAIL according to the event outcome in the MS Exchange Server log, which triggered the event.

    MS Exchange - Suspicious Email Activity

    MS Exchange - Suspicious Email Activity is a correlation event handler that detects five failed login attempts followed by email activity. These events may suggest that an attacker has successfully accessed the user account and is attempting to exploit access to the email system, possibly for data exfiltration, spreading malware, or conducting phishing attacks from a legitimate account.

    This event handler uses the predefined data selector Default Microsoft Windows Security and Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    • Correlation: This event handler triggers an event when the rule Login Failed 5 Times is followed by Email Activity Detected within 10 minutes with a matching source IP.

    • Rule details:

      Rules

      Description

      Login Failed 5 Times

      Triggered when there are five failed login attempts from the same source IP.

      Log Field: Source IP

      Logs that match all of the following filters:

      • Event ID (event_id) = 4625

      Email Activity Detected

      Triggered when there is email activity from the matching source IP within 10 minutes of the previous rule being triggered.

      Log Field: Source IP

      Logs that match all of the following filters:

      • Event Outcome (event_outcome) = SEND

    • Event message: Email activity detected after multiple login failures on ClientIP ${Login Failed 5 Times.groupby1}

    • Event Severity: High

    • Tags: MSExchange, CredentialAccess, LateralMovement

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. The logs that triggered each rule in the correlation sequence can be viewed in the respective tabs: Login Failed 5 Times and Email Activity Detected. The same source IP has multiple failed logins followed by email activity.

    Previous
    Next

    MS Exchange Server event handlers

    MS Exchange Server event handlers

    The predefined Windows Event Log Parser parses MS Exchange Server logs into the SIEM database. You can identify these Fabric logs by the Host OS Family in Log View. These logs are required for the event handlers used in the examples in this topic.

    For example, see below where the Host OS Family is MS Exchange.

    The following predefined event handlers are available to detect suspicious activities in the MS Exchange Server:

    The following topology is used for the examples below.

    MS Exchange - Large Email

    MS Exchange - Large Email is a basic event handler that uses MS Exchange Server logs to detect large email attachments (greater than 10485760 net sent bytes) being transported in the Microsoft Exchange Server.

    This event handler uses the predefined data selector Default Microsoft Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    Rule details:

    Rule

    Description

    Large Email Attachment Detected

    Triggers an event when a large email attachment (greater than 10485760 net sent bytes) is being transported in the Microsoft Exchange Server.

    Event Severity: Medium

    Log Field: Mail From, Host Name

    Logs that match all of the following filters:

    • Net Sent Bytes (net_sentbytes) > 10485760

    Event Message: Large email attachment from $groupby1

    Tags: MSExchange, Exfiltration

    Additional Info: From: ${groupby1}, Server: ${groupby2}

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. In this example, there was 14688987 net sent bytes transported in the Microsoft Exchange Server which triggered the event.

    MS Exchange - Multiple Failed Deliveries

    MS Exchange - Multiple Failed Deliveries is a basic event handler that uses MS Exchange Server logs to detect repeated delivery failures, including bounced messages, to the same recipient that exceeds a threshold. These events indicate potential issues with the recipient address or sender configuration.

    This event handler uses the predefined data selector Default Microsoft Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    Rule details:

    Rule

    Description

    Large Email Attachment Detected

    Triggers an event when there are five or more failed or bounced deliveries in the MS Exchange Server within one hour.

    Event Severity: Medium

    Log Field: Mail From, Event Outcome

    Log Filter by Text: 

    event_outcome='FAIL' or event_outcome='DSN'

    Event Message: Delivery from $groupby1 resulted in $groupby2 outcome

    Tags: MSExchange

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. An email delivery is indicated as FAIL according to the event outcome in the MS Exchange Server log, which triggered the event.

    MS Exchange - Suspicious Email Activity

    MS Exchange - Suspicious Email Activity is a correlation event handler that detects five failed login attempts followed by email activity. These events may suggest that an attacker has successfully accessed the user account and is attempting to exploit access to the email system, possibly for data exfiltration, spreading malware, or conducting phishing attacks from a legitimate account.

    This event handler uses the predefined data selector Default Microsoft Windows Security and Exchange Transport Log to ensure the proper devices and logs are used to trigger events.

    • Correlation: This event handler triggers an event when the rule Login Failed 5 Times is followed by Email Activity Detected within 10 minutes with a matching source IP.

    • Rule details:

      Rules

      Description

      Login Failed 5 Times

      Triggered when there are five failed login attempts from the same source IP.

      Log Field: Source IP

      Logs that match all of the following filters:

      • Event ID (event_id) = 4625

      Email Activity Detected

      Triggered when there is email activity from the matching source IP within 10 minutes of the previous rule being triggered.

      Log Field: Source IP

      Logs that match all of the following filters:

      • Event Outcome (event_outcome) = SEND

    • Event message: Email activity detected after multiple login failures on ClientIP ${Login Failed 5 Times.groupby1}

    • Event Severity: High

    • Tags: MSExchange, CredentialAccess, LateralMovement

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. The logs that triggered each rule in the correlation sequence can be viewed in the respective tabs: Login Failed 5 Times and Email Activity Detected. The same source IP has multiple failed logins followed by email activity.

    Previous
    Next