Predefined basic event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

If you wish to recieve notifications from a pedefined event handler, configure a notification profile and assign it to the event handler. See Creating notification profiles.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to Incidents & Events > Event Handlers > Event Handlers. From the More dropdown, select Show Predefined. The predefined event handlers display with Origin = Built-in. An icon in the Name column indicates if the event handler is a basic event handler or a correlation event handler. For more information about correlation event handlers, see Predefined correlation event handlers.

The following are a small sample of FortiAnalyzer predefined basic event handlers.

Event Handler	Description
Default-Compromised-Host-Detection-IOC-By-Threat	Default event handler to detect compromised hosts by FortiAnalyzer IOC feature grouped by threat. Enabled by default MITRE Tech IDs: T1071.001 Web Protocols T1071.004 DNS T1041 Exfiltration Over C2 Channel Rule 1: Traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: Traffic Log > Any Log Field: Destination IP, Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: Web Filter Log Field: Hostname URL, Source Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: DNS Log Log Field: QNAME, Source Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Event Severity: Critical Log Device Type: FortiGate Log Type: Event Log > System Log Field: Source IP Log messages that match all of the following filters: logid==0100020214 Event Status: Unhandled Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Default data leak detection handler grouped by threat. Disabled by default MITRE Tech ID: T1005 Data from Local System Rule 1: Data leak detected Event Severity: Medium Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action==log-only or action==allow Event Status: Unhandled Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Event Severity: Low Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action!=log-only and action!=allow Event Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Default handler to track file submission and malware detection by FortiSandbox grouped by endpoint. Disabled by default MITRE Tech IDs: T1041 Exfiltration Over C2 Channel Rule 1: Malware detected Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009235 or logid==0211009237 Event Status: Unhandled Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009234 or logid==0211009236 Event Status: Mitigated Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint Log messages that match any one of the following filters: logid==0201009238 and fsaverdict==malicious Event Status: Unhandled Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Default event handler to detect unsanctioned user, application and file exfiltration for cloud access. This event handler requires a FortiCASB connector configured on FortiAnalyzer. See Configuring security fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks. Disabled by default MITRE Tech ID: T1011 Exfiltration Over Other Network Medium Rule 1: Unsanctioned Applications detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 0 && siappid >=0 Event Status: Unhandled Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 4) == 4 Event Status: Unhandled Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 1 && (siflags & 2) == 0 Event Status: Unhandled Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Default local device event handler. Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Event Severity: Medium Log Device Type: Local Device Log Type: Event Log Field: Log Description Log messages that match the following filters: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Interface status changed to up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events. Disabled by default MITRE Tech ID: T1499.001 OS Exhaustion Flood Rule 1: FortiExtender Authorized Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Event Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Event Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed. Disabled by default Rule 1: Routing information changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes. Disabled by default Rule 1: Device SNMP query failed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Switch-Controller activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match all of the following filters: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: HA device interface failed Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that any one all of the following filters: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Message Log messages that match any one of the following filters: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Log Description Log messages that match any one of the following filters: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes. Disabled by default Rule 1: Admin login failed or desabled Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default MITRE Tech ID: T1529 System Shutdown/Reboot Rule 1: Device offline detected Event Severity: High Log Device Type: FortiAnalyzer Log Type: Application Log Log Field: Logging Device Name, Message Log messages that match any one of the following filters: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default MITRE Tech IDs: T1496 Resource Hijacking T1529 System Shutdown/Reboot Rule 1: Device shutdown detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid=="0100022011" OR logid=="0100022802" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures. Disabled by default MITRE Tech IDs: T1133 External Remote Services T1572 Protocol Tunneling Rule 1: User SSL VPN login failed Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Source End User Log messages that match any one of the following filters: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that any one all of the following filters: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default MITRE Tech IDs: T1499.002 Service Exhaustion Flood T1529 System Shutdown/Reboot Rule 1: SLA failed for jitter Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached. Disabled by default Rule 1: Memory report detected Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to enable Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=enable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.
ZTNA Brute Force Login	Detects various brute force login attempts in ZTNA environments. Enabled by default Rule 1: High Volume of Failed Authentications from Multiple Non-Existing Users Triggers an event when 100 or more non-existing users have failed authentications to a host name within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: Host Name Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Event Message: High volume of failed authentications from multiple non-existing users to host: $groupby1 Tags: ZTNA, Login, AccountDiscovery, BruteForce, CredentialSurfing Rule 2: Authentication Failed from Multiple Geo Locations Triggers an event when an existing account fails to authenticate from three or more different geo locations within five minutes. Event Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Authentication failed from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, BruteForce Rule 3: Brute Force Login Attack Triggers an event when and existing user has 10 or more failed authentications with an event profile containing AUTH_FAIL_LOCK within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Fields: User ID, Event Profile Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Brute force login attack for user: $groupby1 Tags: ZTNA, Login, BruteForce Rule 4: High Volume of Failed Authentications to Same Non-Existing User Triggers an event when a non-existing user has at least 100 or more failed authentications within 1440 minutes (one day). Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Event Message: High volume of failed authentications for non-existing user: $groupby1 Tags: ZTNA, Login, BruteForce, DoS
ZTNA Login Anomaly Detection	Detects various suspicious login scenarios in ZTNA environments. Enabled by default Rule 1: Authentication to Multiple Services Failed Triggers an event when a user has failed authentications to three or more services within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Authentication to multiple services failed for user: $groupby1 Tags: ZTNA, Login, PrivilegeEscalation Rule 2: Successful Authentication from Multiple Geo Locations Triggers an event when a user has successful authentication from three or more unique geo locations within 10 minutes. Event Severity: Critical Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Event Message: Suspicious successful authentication from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, ImpossibleTravel Rule 3: Successful Authentication from Multiple Endpoints Triggers an event when a user has successful authentication from five or more different host_IPs within 10 minutes. Event Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID, Host Name Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Event Message: Suspicious successful authentication from multiple endpoints for user: $groupby1 to host $groupby2 Tags: ZTNA, Login, LateralMovement Rule 4: Successful Authentication from Sanctioned Countries Triggers an event when a user has at least one successful authentication from sanctioned countries within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: data_sourcetype='FortiAuthenticator' and euid>1024 and ((event_subtype='User' and event_profile='SAML_IDP_PORTAL_LOGIN') or (event_subtype='Authentication' and event_profile~'AUTH_OK')) and (src_geo_country='Russian Federation' or src_geo_country='Belarus' or src_geo_country='Iraq' or src_geo_country='Sri Lanka' or src_geo_country='Central African Republic' or src_geo_country='Syrian Arab Republic' or src_geo_country='Libyan Arab Jamahiriya' or src_geo_country='Korea, Democratic People\'s Republic of' or src_geo_country='Nicaragua' or src_geo_country='China' or src_geo_country~'Iran' or src_geo_country='Venezuela' or src_geo_country='Yemen' or src_geo_country='Lebanon' or src_geo_country='Myanmar' or src_geo_country~'Sudan' or src_geo_country~'Moldova' or src_geo_country~'Congo' or src_geo_country='Guatemala' or src_geo_country='Ukraine' or src_geo_country='Haiti' or src_geo_country='Somalia' or src_geo_country='Zimbabwe') Event Message: Successful authentication from sanctioned countries for user: $groupby1 Tags: ZTNA, Login, Geo, PolicyViolation, Compliance

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple rules called Default-FOS-System-Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default-FOS-System-Events rules apply tags to each event, allowing you to identify which Default-FOS-System-Events rule triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

Predefined basic event handlers

If you wish to recieve notifications from a pedefined event handler, configure a notification profile and assign it to the event handler. See Creating notification profiles.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

The following are a small sample of FortiAnalyzer predefined basic event handlers.

Event Handler	Description
Default-Compromised-Host-Detection-IOC-By-Threat	Default event handler to detect compromised hosts by FortiAnalyzer IOC feature grouped by threat. Enabled by default MITRE Tech IDs: T1071.001 Web Protocols T1071.004 DNS T1041 Exfiltration Over C2 Channel Rule 1: Traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: Traffic Log > Any Log Field: Destination IP, Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: Web Filter Log Field: Hostname URL, Source Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Event Severity: Critical Log Device Type: FortiGate Log Type: DNS Log Log Field: QNAME, Source Endpoint Log messages that match all of the following filters: tdtype~infected Event Status: Unhandled Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Event Severity: Critical Log Device Type: FortiGate Log Type: Event Log > System Log Field: Source IP Log messages that match all of the following filters: logid==0100020214 Event Status: Unhandled Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Default data leak detection handler grouped by threat. Disabled by default MITRE Tech ID: T1005 Data from Local System Rule 1: Data leak detected Event Severity: Medium Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action==log-only or action==allow Event Status: Unhandled Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Event Severity: Low Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action!=log-only and action!=allow Event Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Default handler to track file submission and malware detection by FortiSandbox grouped by endpoint. Disabled by default MITRE Tech IDs: T1041 Exfiltration Over C2 Channel Rule 1: Malware detected Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009235 or logid==0211009237 Event Status: Unhandled Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009234 or logid==0211009236 Event Status: Mitigated Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Event Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint Log messages that match any one of the following filters: logid==0201009238 and fsaverdict==malicious Event Status: Unhandled Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Default event handler to detect unsanctioned user, application and file exfiltration for cloud access. This event handler requires a FortiCASB connector configured on FortiAnalyzer. See Configuring security fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this event handler to generate events. See Playbooks. Disabled by default MITRE Tech ID: T1011 Exfiltration Over Other Network Medium Rule 1: Unsanctioned Applications detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 0 && siappid >=0 Event Status: Unhandled Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 4) == 4 Event Status: Unhandled Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Event Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 1 && (siflags & 2) == 0 Event Status: Unhandled Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Default local device event handler. Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Event Severity: Medium Log Device Type: Local Device Log Type: Event Log Field: Log Description Log messages that match the following filters: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Event handler for FortiGate device type logs to generate events for vlan/interface status up or down, and DNS service on interface status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Interface status changed to up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Event handler for FortiGate device type logs to generate events for FortiExtender alerts, authorization and controller activity events. Disabled by default MITRE Tech ID: T1499.001 OS Exhaustion Flood Rule 1: FortiExtender Authorized Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Event Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Event Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed. Disabled by default Rule 1: Routing information changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP server and status changes. Disabled by default Rule 1: Device SNMP query failed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Switch-Controller activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match all of the following filters: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: HA device interface failed Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Event Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that any one all of the following filters: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Message Log messages that match any one of the following filters: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Log Description Log messages that match any one of the following filters: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes. Disabled by default Rule 1: Admin login failed or desabled Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default MITRE Tech ID: T1529 System Shutdown/Reboot Rule 1: Device offline detected Event Severity: High Log Device Type: FortiAnalyzer Log Type: Application Log Log Field: Logging Device Name, Message Log messages that match any one of the following filters: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default MITRE Tech IDs: T1496 Resource Hijacking T1529 System Shutdown/Reboot Rule 1: Device shutdown detected Event Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid=="0100022011" OR logid=="0100022802" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Event Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures. Disabled by default MITRE Tech IDs: T1133 External Remote Services T1572 Protocol Tunneling Rule 1: User SSL VPN login failed Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Source End User Log messages that match any one of the following filters: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Event Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Event Severity: Medium Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that any one all of the following filters: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default MITRE Tech IDs: T1499.002 Service Exhaustion Flood T1529 System Shutdown/Reboot Rule 1: SLA failed for jitter Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Event Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Event handler for FortiGate device type logs to generate events for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached. Disabled by default Rule 1: Memory report detected Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to enable Event Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=enable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.
ZTNA Brute Force Login	Detects various brute force login attempts in ZTNA environments. Enabled by default Rule 1: High Volume of Failed Authentications from Multiple Non-Existing Users Triggers an event when 100 or more non-existing users have failed authentications to a host name within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: Host Name Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Event Message: High volume of failed authentications from multiple non-existing users to host: $groupby1 Tags: ZTNA, Login, AccountDiscovery, BruteForce, CredentialSurfing Rule 2: Authentication Failed from Multiple Geo Locations Triggers an event when an existing account fails to authenticate from three or more different geo locations within five minutes. Event Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Authentication failed from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, BruteForce Rule 3: Brute Force Login Attack Triggers an event when and existing user has 10 or more failed authentications with an event profile containing AUTH_FAIL_LOCK within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Fields: User ID, Event Profile Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Brute force login attack for user: $groupby1 Tags: ZTNA, Login, BruteForce Rule 4: High Volume of Failed Authentications to Same Non-Existing User Triggers an event when a non-existing user has at least 100 or more failed authentications within 1440 minutes (one day). Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Event Message: High volume of failed authentications for non-existing user: $groupby1 Tags: ZTNA, Login, BruteForce, DoS
ZTNA Login Anomaly Detection	Detects various suspicious login scenarios in ZTNA environments. Enabled by default Rule 1: Authentication to Multiple Services Failed Triggers an event when a user has failed authentications to three or more services within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Event Message: Authentication to multiple services failed for user: $groupby1 Tags: ZTNA, Login, PrivilegeEscalation Rule 2: Successful Authentication from Multiple Geo Locations Triggers an event when a user has successful authentication from three or more unique geo locations within 10 minutes. Event Severity: Critical Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Event Message: Suspicious successful authentication from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, ImpossibleTravel Rule 3: Successful Authentication from Multiple Endpoints Triggers an event when a user has successful authentication from five or more different host_IPs within 10 minutes. Event Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID, Host Name Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Event Message: Suspicious successful authentication from multiple endpoints for user: $groupby1 to host $groupby2 Tags: ZTNA, Login, LateralMovement Rule 4: Successful Authentication from Sanctioned Countries Triggers an event when a user has at least one successful authentication from sanctioned countries within 10 minutes. Event Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: data_sourcetype='FortiAuthenticator' and euid>1024 and ((event_subtype='User' and event_profile='SAML_IDP_PORTAL_LOGIN') or (event_subtype='Authentication' and event_profile~'AUTH_OK')) and (src_geo_country='Russian Federation' or src_geo_country='Belarus' or src_geo_country='Iraq' or src_geo_country='Sri Lanka' or src_geo_country='Central African Republic' or src_geo_country='Syrian Arab Republic' or src_geo_country='Libyan Arab Jamahiriya' or src_geo_country='Korea, Democratic People\'s Republic of' or src_geo_country='Nicaragua' or src_geo_country='China' or src_geo_country~'Iran' or src_geo_country='Venezuela' or src_geo_country='Yemen' or src_geo_country='Lebanon' or src_geo_country='Myanmar' or src_geo_country~'Sudan' or src_geo_country~'Moldova' or src_geo_country~'Congo' or src_geo_country='Guatemala' or src_geo_country='Ukraine' or src_geo_country='Haiti' or src_geo_country='Somalia' or src_geo_country='Zimbabwe') Event Message: Successful authentication from sanctioned countries for user: $groupby1 Tags: ZTNA, Login, Geo, PolicyViolation, Compliance

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple rules called Default-FOS-System-Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default-FOS-System-Events rules apply tags to each event, allowing you to identify which Default-FOS-System-Events rule triggered the event.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Predefined basic event handlers