Predefined basic alert handlers

FortiAnalyzer includes many predefined alert handlers that you can use to generate alerts. You can easily create a custom alert handler by cloning a predefined alert handler and customizing its settings. See Cloning alert handlers.

If you wish to recieve notifications from a pedefined alert handler, configure a notification profile and assign it to the alert handler. See Creating notification profiles.

In 6.2.0 and up, predefined alert handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

To view predefined alert handlers in the FortiAnalyzer GUI, go to Incidents & Alerts > Alert Handlers > Alert Handlers. From the More dropdown, select Show Predefined. The predefined alert handlers display with Origin = Built-in. An icon in the Name column indicates if the alert handler is a basic alert handler or a correlation alert handler. For more information about correlation alert handlers, see Predefined correlation alert handlers.

The following are a small sample of FortiAnalyzer predefined basic alert handlers.

Alert Handler	Description
Default-Compromised-Host-Detection-IOC-By-Threat	Default alert handler to detect compromised hosts by FortiAnalyzer IOC feature grouped by threat. Enabled by default MITRE Tech IDs: T1071.001 Web Protocols T1071.004 DNS T1041 Exfiltration Over C2 Channel Rule 1: Traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Traffic Log > Any Log Field: Destination IP, Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Web Filter Log Field: Hostname URL, Source Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: DNS Log Log Field: QNAME, Source Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Alert Severity: Critical Log Device Type: FortiGate Log Type: Event Log > System Log Field: Source IP Log messages that match all of the following filters: logid==0100020214 Status: Unhandled Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Default data leak detection handler grouped by threat. Disabled by default MITRE Tech ID: T1005 Data from Local System Rule 1: Data leak detected Alert Severity: Medium Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action==log-only or action==allow Status: Unhandled Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Alert Severity: Low Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action!=log-only and action!=allow Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Default handler to track file submission and malware detection by FortiSandbox grouped by endpoint. Disabled by default MITRE Tech IDs: T1041 Exfiltration Over C2 Channel Rule 1: Malware detected Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009235 or logid==0211009237 Status: Unhandled Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009234 or logid==0211009236 Status: Mitigated Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint Log messages that match any one of the following filters: logid==0201009238 and fsaverdict==malicious Status: Unhandled Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Default alert handler to detect unsanctioned user, application and file exfiltration for cloud access. This alert handler requires a FortiCASB connector configured on FortiAnalyzer. See Configuring security fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this alert handler to generate alerts. See Playbooks. Disabled by default MITRE Tech ID: T1011 Exfiltration Over Other Network Medium Rule 1: Unsanctioned Applications detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 0 && siappid >=0 Status: Unhandled Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 4) == 4 Status: Unhandled Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 1 && (siflags & 2) == 0 Status: Unhandled Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Default local device alert handler. Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Alert Severity: Medium Log Device Type: Local Device Log Type: Event Log Field: Log Description Log messages that match the following filters: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Alert handler for FortiGate device type logs to generate alerts for vlan/interface status up or down, and DNS service on interface status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Interface status changed to up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Alert handler for FortiGate device type logs to generate alerts for FortiExtender alerts, authorization and controller activity alerts. Disabled by default MITRE Tech ID: T1499.001 OS Exhaustion Flood Rule 1: FortiExtender Authorized Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Alert handler for FortiGate device type logs to generate alerts for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed. Disabled by default Rule 1: Routing information changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Alert handler for FortiGate device type logs to generate network alerts including SNMP queries, routing information changes, DHCP server and status changes. Disabled by default Rule 1: Device SNMP query failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Alert handler for FortiGate device type logs to generate alerts for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Switch-Controller activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match all of the following filters: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Alert handler for FortiGate device type logs to generate alerts for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: HA device interface failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that any one all of the following filters: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Alert handler for FortiGate device type logs to generate alerts for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Message Log messages that match any one of the following filters: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Log Description Log messages that match any one of the following filters: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Alert handler for FortiGate device type logs to generate alerts for security alerts including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes. Disabled by default Rule 1: Admin login failed or desabled Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Alert handler for FortiAnalyzer and FortiGate log device type to detect Fabric alerts, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default MITRE Tech ID: T1529 System Shutdown/Reboot Rule 1: Device offline detected Alert Severity: High Log Device Type: FortiAnalyzer Log Type: Application Log Log Field: Logging Device Name, Message Log messages that match any one of the following filters: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Alert handler for FortiGate device type logs to generate alerts for system alerts including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default MITRE Tech IDs: T1496 Resource Hijacking T1529 System Shutdown/Reboot Rule 1: Device shutdown detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid=="0100022011" OR logid=="0100022802" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Alert handler for FortiGate device type logs to generate alerts for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures. Disabled by default MITRE Tech IDs: T1133 External Remote Services T1572 Protocol Tunneling Rule 1: User SSL VPN login failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Source End User Log messages that match any one of the following filters: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that any one all of the following filters: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Alert handler for FortiGate device type logs to generate alerts for SD-WAN status, alerts, and health check alerts including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default MITRE Tech IDs: T1499.002 Service Exhaustion Flood T1529 System Shutdown/Reboot Rule 1: SLA failed for jitter Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Alert handler for FortiGate device type logs to generate alerts for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached. Disabled by default Rule 1: Memory report detected Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to enable Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=enable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.
ZTNA Brute Force Login	Detects various brute force login attempts in ZTNA environments. Enabled by default Rule 1: High Volume of Failed Authentications from Multiple Non-Existing Users Triggers an alert when 100 or more non-existing users have failed authentications to a host name within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: Host Name Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Message: High volume of failed authentications from multiple non-existing users to host: $groupby1 Tags: ZTNA, Login, AccountDiscovery, BruteForce, CredentialSurfing Rule 2: Authentication Failed from Multiple Geo Locations Triggers an alert when an existing account fails to authenticate from three or more different geo locations within five minutes. Alert Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Authentication failed from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, BruteForce Rule 3: Brute Force Login Attack Triggers an alert when and existing user has 10 or more failed authentications with an event profile containing AUTH_FAIL_LOCK within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Fields: User ID, Event Profile Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Brute force login attack for user: $groupby1 Tags: ZTNA, Login, BruteForce Rule 4: High Volume of Failed Authentications to Same Non-Existing User Triggers an alert when a non-existing user has at least 100 or more failed authentications within 1440 minutes (one day). Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Message: High volume of failed authentications for non-existing user: $groupby1 Tags: ZTNA, Login, BruteForce, DoS
ZTNA Login Anomaly Detection	Detects various suspicious login scenarios in ZTNA environments. Enabled by default Rule 1: Authentication to Multiple Services Failed Triggers an alert when a user has failed authentications to three or more services within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Authentication to multiple services failed for user: $groupby1 Tags: ZTNA, Login, PrivilegeEscalation Rule 2: Successful Authentication from Multiple Geo Locations Triggers an alert when a user has successful authentication from three or more unique geo locations within 10 minutes. Alert Severity: Critical Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Message: Suspicious successful authentication from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, ImpossibleTravel Rule 3: Successful Authentication from Multiple Endpoints Triggers an alert when a user has successful authentication from five or more different host_IPs within 10 minutes. Alert Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID, Host Name Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Message: Suspicious successful authentication from multiple endpoints for user: $groupby1 to host $groupby2 Tags: ZTNA, Login, LateralMovement Rule 4: Successful Authentication from Sanctioned Countries Triggers an alert when a user has at least one successful authentication from sanctioned countries within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: data_sourcetype='FortiAuthenticator' and euid>1024 and ((event_subtype='User' and event_profile='SAML_IDP_PORTAL_LOGIN') or (event_subtype='Authentication' and event_profile~'AUTH_OK')) and (src_geo_country='Russian Federation' or src_geo_country='Belarus' or src_geo_country='Iraq' or src_geo_country='Sri Lanka' or src_geo_country='Central African Republic' or src_geo_country='Syrian Arab Republic' or src_geo_country='Libyan Arab Jamahiriya' or src_geo_country='Korea, Democratic People\'s Republic of' or src_geo_country='Nicaragua' or src_geo_country='China' or src_geo_country~'Iran' or src_geo_country='Venezuela' or src_geo_country='Yemen' or src_geo_country='Lebanon' or src_geo_country='Myanmar' or src_geo_country~'Sudan' or src_geo_country~'Moldova' or src_geo_country~'Congo' or src_geo_country='Guatemala' or src_geo_country='Ukraine' or src_geo_country='Haiti' or src_geo_country='Somalia' or src_geo_country='Zimbabwe') Message: Successful authentication from sanctioned countries for user: $groupby1 Tags: ZTNA, Login, Geo, PolicyViolation, Compliance

Below are examples of raw logs that would trigger the associated default alert handler.

Default Alert Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system alerts

FortiOS predefined system alert handlers are consolidated into a single alert handler with multiple rules called Default-FOS-System-Events.

Alerts are organized by device in the Incidents & Alerts dashboards, which can be expanded to view all related alerts.

Default-FOS-System-Events rules apply tags to each alert, allowing you to identify which Default-FOS-System-Events rule triggered the alert.

Predefined basic alert handlers

If you wish to recieve notifications from a pedefined alert handler, configure a notification profile and assign it to the alert handler. See Creating notification profiles.

In 6.2.0 and up, predefined alert handlers have been consolidated and have multiple rules that can be enabled or disabled individually.

The following are a small sample of FortiAnalyzer predefined basic alert handlers.

Alert Handler	Description
Default-Compromised-Host-Detection-IOC-By-Threat	Default alert handler to detect compromised hosts by FortiAnalyzer IOC feature grouped by threat. Enabled by default MITRE Tech IDs: T1071.001 Web Protocols T1071.004 DNS T1041 Exfiltration Over C2 Channel Rule 1: Traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Traffic Log > Any Log Field: Destination IP, Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: IP, C&C, Ioc_Rescan Custom Message: Traffic to C&C:${dstip}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 2: Web traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Web Filter Log Field: Hostname URL, Source Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: C&C, URL, Ioc_Rescan Custom Message: Traffic to C&C:${hostname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 3: DNS traffic to CnC detected Alert Severity: Critical Log Device Type: FortiGate Log Type: DNS Log Log Field: QNAME, Source Endpoint Log messages that match all of the following filters: tdtype~infected Status: Unhandled Tags: C&C, Domain, Ioc_Rescan Custom Message: Traffic to C&C:${qname}, Traffic path: PolicyID ${policyid}\${dstintf}\${dstip}:${dstport} Rule 4: Traffic to CnC event detected by FortiGate Alert Severity: Critical Log Device Type: FortiGate Log Type: Event Log > System Log Field: Source IP Log messages that match all of the following filters: logid==0100020214 Status: Unhandled Tags: C&C Custom Message: FGT detected traffic to IOC location, from the source ip:${srcip}
Default-Data-Leak-Detection-By-Threat	Default data leak detection handler grouped by threat. Disabled by default MITRE Tech ID: T1005 Data from Local System Rule 1: Data leak detected Alert Severity: Medium Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action==log-only or action==allow Status: Unhandled Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport} Rule 2: Data leak blocked Alert Severity: Low Log Device Type: FortiGate Log Type: DLP Log Field: Filter Category, Source Endpoint Log messages that match all of the following filters: action!=log-only and action!=allow Status: Mitigated Tags: Signature, Leak Custom Message: File:${filename} (Type:${filetype}, Size:${filesize}), Traffic path: PolicyID ${policyid}\${dstip}:${dstport}
Default-Sandbox-Detections-By-Endpoint	Default handler to track file submission and malware detection by FortiSandbox grouped by endpoint. Disabled by default MITRE Tech IDs: T1041 Exfiltration Over C2 Channel Rule 1: Malware detected Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009235 or logid==0211009237 Status: Unhandled Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 2: Malware blocked Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint, Virus Name Log messages that match all of the following filters: logid==0211009234 or logid==0211009236 Status: Mitigated Tags: Sandbox, Signature, Malware Custom Message: Malware:${virus} with severity:${crlevel} found in file:${filename} from ${dstip}:${dstport}, Reference: ${ref} Rule 3: Sandbox detected Malware Alert Severity: Critical Log Device Type: FortiGate Log Type: AntiVirus Log Field: Source Endpoint Log messages that match any one of the following filters: logid==0201009238 and fsaverdict==malicious Status: Unhandled Tags: Sandbox, Malware Custom Message: File:${filename}, Traffic path: ${dstintf}(Policy:${policyid})\${dstip}:${dstport}, Checksum:${analyticscksum}
Default-Shadow-IT-Events	Default alert handler to detect unsanctioned user, application and file exfiltration for cloud access. This alert handler requires a FortiCASB connector configured on FortiAnalyzer. See Configuring security fabric connectors. This automatically creates the Get Cloud Service Data (FortiCasb Connector) playbook, which must be enabled for this alert handler to generate alerts. See Playbooks. Disabled by default MITRE Tech ID: T1011 Exfiltration Over Other Network Medium Rule 1: Unsanctioned Applications detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 0 && siappid >=0 Status: Unhandled Tags: Unsanctioned_App Custom Message: Unsanctioned application ${app} with app risk: ${apprisk} detected on: ${devname} with message: ${msg} Rule 2: File Exfiltration Attempts detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 4) == 4 Status: Unhandled Tags: File_Exfiltration Custom Message: File exfiltration detected on: ${devname} with message: ${msg} Rule 3: Unsanctioned Users detected Alert Severity: High Log Device Type: FortiGate Log Type: Application Control Log Field: Source IP, Application Name Log messages that match all of the following filters: (siflags & 1) == 1 && (siflags & 2) == 0 Status: Unhandled Tags: Unsanctioned_User Custom Message: Unsanctioned user: ${unauthuser} with app risk: ${apprisk} detected on: ${devname} with message: ${msg}
Local Device Event	Default local device alert handler. Available only in the Root ADOM. Enabled by default Data Selector: Default Local Device Selector Rule 1: Critical or important events Alert Severity: Medium Log Device Type: Local Device Log Type: Event Log Field: Log Description Log messages that match the following filters: Level Greater Than or Equal To Warning Tags: System, Local
Default-NOC-Interface-Events	Alert handler for FortiGate device type logs to generate alerts for vlan/interface status up or down, and DNS service on interface status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Interface status changed to up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="UP" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 2: Interface status changed to down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="interface-stat-change" and status="DOWN" Tags: NOC, Interface Custom message: Device ${devname}, status changed to ${status} with message ${msg}. Rule 3: DNS server config added Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.dns-server" and action="Add" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}. Rule 4: DNS server config deleted Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dns-server" and action="Delete" Tags: NOC, Interface, DNS Custom Message: Device ${devname}, DNS server status changed with message ${msg}.
Default-NOC-FortiExtender-Events	Alert handler for FortiGate device type logs to generate alerts for FortiExtender alerts, authorization and controller activity alerts. Disabled by default MITRE Tech ID: T1499.001 OS Exhaustion Flood Rule 1: FortiExtender Authorized Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: action="FortiExtender Authorized" Tags: NOC, FortiExtender Custom message: Device: ${ip} ${action} with message: ${msg} Rule 2: Warning event detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="warning" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 3: Alert event detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="alert" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 4: Critical event detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="critical" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 5: Error event detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 6: Emergency event detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: level="emergency" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 7: FortiExtender controller activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046401" and logdesc="FortiExtender controller activity" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg} Rule 8: FortiExtender controller activity error detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > FortiExtender Log Field: SN, Log Description Log messages that match any one of the following filters: logid="0111046402" and logdesc="FortiExtender controller activity error" Tags: NOC, FortiExtender Custom message: ${action} on ${ip} with message: ${msg}
Default-NOC-Routing-Events	Alert handler for FortiGate device type logs to generate alerts for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed. Disabled by default Rule 1: Routing information changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Routing information changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 2: BGP neighbor status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="BGP neighbor status changed" Tags: NOC, Routing Custom message: ${devname}. BGP neighbor status changed with message ${msg} Rule 3: OSPF or OSPF6 neighbor status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 4: Neighbor table changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="neighbor table change" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg} Rule 5: VRRP state changed Event Severity: Medium Log Device Type: FortiGate Log Type: Event > Router Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="VRRP state changed" Tags: NOC, Routing Custom message: ${logdesc} on ${devname} with message ${msg}
Default-NOC-Network-Events	Alert handler for FortiGate device type logs to generate network alerts including SNMP queries, routing information changes, DHCP server and status changes. Disabled by default Rule 1: Device SNMP query failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: logid="0100029021" AND logdesc="SNMP query failed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 2: Device routing information changed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Routing information changed" Tags: NOC, Network Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: DHCP client lease granted or usage high Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full" Tags: NOC, Network Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg} Rule 4: SNMP enabled Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[disable->enable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 5: SNMP disabled Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cfgpath="system.snmp.sysinfo" and logdesc="Attribute configured" and cfgattr=status[enable->disable] Tags: NOC, Network Custom message: Device ${devname} ${logdesc} ${cfgattr} with message ${msg}. Rule 6: DHCP server status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: cfgpath="system.dhcp.server" and logdesc="Object attribute configured" Tags: NOC, Network Custom message: DHCP server status change ${cfgattr} with message ${msg}. Rule 7: DHCP lease renewed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: dhcp_msg="Ack" and logdesc="DHCP Ack log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}. Rule 8: DHCP lease released Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match all of the following filters: dhcp_msg="Release" and logdesc="DHCP Release log" Tags: NOC, Network Custom message: Host ${hostname} with message ${msg}.
Default-NOC-Switch-Events	Alert handler for FortiGate device type logs to generate alerts for Switch-Controller added/deleted or authorized/deauthorized, Switch-Controller Status, Interface flapping, LAG/MCLAG and split-brain status, Cable test/diagnosis and physical port up/down. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: Switch-Controller activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match all of the following filters: (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning") Tags: NOC, Switch, Controller Custom message: ${logdesc} Rule 2: Vlan interface change has occurred Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc='FortiSwitch system' and msg~"interface vlan" Tags: NOC, Switch, Controller Custom message: Device ${devname} interface vlan change with message: ${msg} Rule 3: Port switch detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiSwitch link" AND msg~"switch port" Tags: NOC, Switch, Controller Custom message: ${logdesc} on Device: ${devname} with message: ${msg} Rule 4: Device flap detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Message Log messages that match any one of the following filters: msg~"flap" Tags: NOC, Switch, Controller Default message Rule 5: Device LAG-MCLAG status change Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: msg~"lag" OR msg~"mclag" Tags: NOC, Switch, Controller Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg} Rule 6: Device MCLAG split-brain detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032695 and msg~"MCLAG split-brain" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 7: Device cable diagnose detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=0115032699 and msg~"CABLE DIAGNOSE" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 8: Device come up detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"come up" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}. Rule 9: Device gone down detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Any Log Field: Device Name, Log Description Log messages that match any one of the following filters: log_id=="0115032695" and msg~"gone down" Tags: NOC, Switch, Controller Custom message: Device ${devname} ${msg}.
Default-NOC-HA-Events	Alert handler for FortiGate device type logs to generate alerts for HA cluster updates and alerts including HA Device interface failure, Cluster Priority Changed, cluster member state moved, device interface down, HA device syncronization status, connection to FortiAnalyzer status, FortiManager tunnel connection status and connection with CSF member status. Disabled by default MITRE Tech ID: T1489 Service Stop Rule 1: HA device interface failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc=="HA device interface failed" and logid=="0108037898" Tags: NOC, HA, Cluster Default message Rule 2: Device set as HA primary Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Device set as HA primary" Tags: NOC, HA, Cluster Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg} Rule 3: Cluster state moved or Heartbeat device interface down Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down" Tags: NOC, HA, Cluster Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role} Rule 4: Synchronization activity detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > HA Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master" Tags: NOC, HA, Cluster Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status} Rule 5: FortiAnalyzer connection up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiAnalyzer connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 6: FortiAnalyzer connection failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that any one all of the following filters: action="connect" and status="failure" and logdesc="FortiAnalyzer connection failed" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 7: Upstream connection with CSF member established and authorized Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with CSF member established and authorized" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 8: Upstream connection with authorized CSF member terminated Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: direction="upstream" and logdesc="Connection with authorized CSF member terminated" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${msg}. Rule 9: FortiManager tunnel connection up Event Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="success" and logdesc="FortiManager tunnel connection up" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}. Rule 10: FortiManager tunnel connection down Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: action="connect" and status="failure" and logdesc="FortiManager tunnel connection down" Tags: NOC, HA, Cluster Custom message: Device ${devname} ${logdesc} with message - ${msg}.
Default-NOC-Wireless-Events	Alert handler for FortiGate device type logs to generate alerts for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection, wireless client status change added/removed/allowed or denied status, signal to noise ratio (SNR) poor/fair/good, SSID status up/down. Disabled by default Rule 1: Fake AP detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid="0104043567" AND logdesc=="Fake AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} Rule 2: Rogue AP detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, SSID Log messages that match any one of the following filters: logid=="0104043563" AND logdesc=="Rogue AP detected" Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg} Rule 3: Wireless event log id matched Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Message Log messages that match any one of the following filters: subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc}. of AP: ${ap} Rule 4: Wireless client activity detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name, Log Description Log messages that match any one of the following filters: (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected") Tags: NOC, Wireless, Wifi, AP Custom message: ${logdesc} for ${ssid} with message: ${msg} Rule 5: Signal-to-noise ratio is poor Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr<="24" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has a poor quality SNR at ${snr} dB. Rule 6: Signal-to-noise ratio is fair Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="25" and snr<="40" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has fair quality SNR at ${snr} dB. Rule 7: Signal-to-noise ratio on is excellent Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: Device Name Log messages that match any one of the following filters: snr>="41" Tags: NOC, Wireless, Wifi, AP Custom message: SSID ${ssid}. has excellent quality SNR at ${snr} dB. Rule 8: Physical AP radio ssid up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid up" and action="ssid-up" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}. Rule 9: Physical AP radio ssid down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > Wireless Log Field: SSID, Log Description Log messages that match any one of the following filters: logdesc="Physical AP radio ssid down" and action="ssid-down" Tags: NOC, Wireless, Wifi, AP Custom message: Device ${sn} SSID status change with message ${msg}.
Default-NOC-Security-Events	Alert handler for FortiGate device type logs to generate alerts for security alerts including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes. Disabled by default Rule 1: Admin login failed or desabled Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin login failed" OR logdesc=="Admin login disabled" OR logdesc=="SSL VPN login fail" Tags: NOC, Security, Login, Password Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg} Rule 2: Admin password expired Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin password expired" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 3: Admin disconnected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected" Tags: NOC, Security, Login, Password Custom message: ${logdesc} on device: ${devname} with message: ${msg} Rule 4: AV or IPS change detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed" Tags: NOC, Security, Login, Password Custom message: Device: ${devname} ${logdesc} with message: ${msg}
Default-NOC-Fabric-Events	Alert handler for FortiAnalyzer and FortiGate log device type to detect Fabric alerts, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates. Disabled by default MITRE Tech ID: T1529 System Shutdown/Reboot Rule 1: Device offline detected Alert Severity: High Log Device Type: FortiAnalyzer Log Type: Application Log Log Field: Logging Device Name, Message Log messages that match any one of the following filters: desc="Device offline" Tags: NOC, Fabric Custom message: ${logdev_id} is offline Rule 2: FortiAnalyzer connection down detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc="FortiAnalyzer connection down" Tags: NOC, Fabric Default message Rule 3: Connection with authorized CSF member terminated Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc="Connection with authorized CSF member terminated" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} due to: ${reason} Rule 4: Automation stitch triggered Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Automation stitch triggered" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction} Rule 5: Device license failed or expiring detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match any one of the following filters: logdesc~"license failed" OR logdesc~"license expiring" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devid} Rule 6: System update or failure detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Message Log messages that match all of the following filters: logdesc~"update" AND logdesc~"failed" Tags: NOC, Fabric Custom message: ${logdesc} on: ${devname} with message: ${msg} Rule 7: Security fabric settings change detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed" Tags: NOC, Fabric Custom message: Device: ${devname} change with message: ${msg}
Default-NOC-System-Events	Alert handler for FortiGate device type logs to generate alerts for system alerts including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode. Disabled by default MITRE Tech IDs: T1496 Resource Hijacking T1529 System Shutdown/Reboot Rule 1: Device shutdown detected Alert Severity: Critical Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc="Device shutdown" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devname} experienced $logdesc with message: ${msg} Rule 2: Device conserve mode detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid=="0100022011" OR logid=="0100022802" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${logdesc} on Device: ${devname} with message ${msg} Rule 3: Disk or memory is full Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: Device: ${devname} ${logdesc} with message: ${msg} Rule 4: Device high CPU consumption detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: cpu>="80" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance cpu: ${cpu} Rule 5: Device high memory consumption detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > System Log Field: Device Name, Log Description Log messages that match any one of the following filters: mem>="75" Tags: NOC, System, Power, CPU, Memory, Storage Custom message: ${devid} performance memory: ${memory}
Default-NOC-VPN-Events	Alert handler for FortiGate device type logs to generate alerts for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures. Disabled by default MITRE Tech IDs: T1133 External Remote Services T1572 Protocol Tunneling Rule 1: User SSL VPN login failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Source End User Log messages that match any one of the following filters: logid=="0101039426" and action=="ssl-login-fail" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 2: IPsec phase 1 error or status fail detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail") Tags: NOC, VPN Custom message: ${logdesc} due to: ${status} with reason: ${reason} Rule 3: IPsec ESP error detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037131" and logdesc=="IPsec ESP" Tags: NOC, VPN Custom message: ${status} on: ${devname}, ${error_num} Rule 4: IPsec DPD failed Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037136" and logdesc=="IPsec DPD failed" Tags: NOC, VPN Custom message: ${msg} on device: ${devname} Rule 5: Device tunnel-up or tunnel-down detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0101037138" and (action="tunnel-up" or action= "tunnel-down") Tags: NOC, VPN Custom message: ${msg} due to: ${action} Rule 6: IPsec phase 2 error detected Alert Severity: High Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that match any one of the following filters: logid=="0101037125" and logdesc=="IPsec phase 2 error" Tags: NOC, VPN Custom message: ${logdesc} due to: ${reason} Rule 7: Device phase2-up or phase2-down detected Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > VPN Log Field: Device Name, Message Log messages that any one all of the following filters: logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down") Tags: NOC, VPN Custom message: ${logdesc} due to: ${action}
Default-NOC-SD-WAN-Events	Alert handler for FortiGate device type logs to generate alerts for SD-WAN status, alerts, and health check alerts including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change. Disabled by default MITRE Tech IDs: T1499.002 Service Exhaustion Flood T1529 System Shutdown/Reboot Rule 1: SLA failed for jitter Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}. Rule 2: SLA failed for latency Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}. Rule 3: SLA failed for packetloss Alert Severity: High Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed" Tags: NOC, SD-WAN Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}. Rule 4: Device status changed to die Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="die" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 5: Device status changed to alive. Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022925" AND newvalue="alive" Tags: NOC, SD-WAN Custom message: Device: ${devname} with status ${newvalue}. ${msg}. Rule 6: Device status is up Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="up" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 7: Device status is down Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Health Check Log messages that match any one of the following filters: logid="0113022925" AND status=="down" Tags: NOC, SD-WAN Custom message: Device: ${devname} ${msg} status is ${status}. Rule 8: Number of pass member changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Number of pass member changed." Tags: NOC, SD-WAN Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname} Rule 9: Member status changed Alert Severity: Medium Log Device Type: FortiGate Log Type: Event > SD-WAN Log Field: Device Name, Log Description Log messages that match any one of the following filters: logid="0113022923" AND msg="Member status changed. Member out-of-sla." Tags: NOC, SD-WAN Custom message: ${msg}. Member is now ${member} on ${devname}.
Default-NOC-Docker-Events	Alert handler for FortiGate device type logs to generate alerts for Docker including inlcuding container enabled/disabled, CPU value set/max reached and MEM value set/max reached. Disabled by default Rule 1: Memory report detected Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"MEM" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 2: CPU report detected Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id=="0042010266" and msg~"CPU" Tags: NOC, Docker Custom message: Device ${devname} with message ${msg}. Rule 3: Status changed to disable Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=disable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}. Rule 4: Status changed to enable Alert Severity: Medium Log Device Type: FortiManager Log Type: Event Log Field: Type, Subtype Log messages that match any one of the following filters: log_id="0001010026" and changes~"status=enable" Tags: NOC, Docker Custom message: Device ${devname} with changes ${changes}.
ZTNA Brute Force Login	Detects various brute force login attempts in ZTNA environments. Enabled by default Rule 1: High Volume of Failed Authentications from Multiple Non-Existing Users Triggers an alert when 100 or more non-existing users have failed authentications to a host name within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: Host Name Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Message: High volume of failed authentications from multiple non-existing users to host: $groupby1 Tags: ZTNA, Login, AccountDiscovery, BruteForce, CredentialSurfing Rule 2: Authentication Failed from Multiple Geo Locations Triggers an alert when an existing account fails to authenticate from three or more different geo locations within five minutes. Alert Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Authentication failed from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, BruteForce Rule 3: Brute Force Login Attack Triggers an alert when and existing user has 10 or more failed authentications with an event profile containing AUTH_FAIL_LOCK within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Fields: User ID, Event Profile Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Brute force login attack for user: $groupby1 Tags: ZTNA, Login, BruteForce Rule 4: High Volume of Failed Authentications to Same Non-Existing User Triggers an alert when a non-existing user has at least 100 or more failed authentications within 1440 minutes (one day). Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event ID = 20101 Message: High volume of failed authentications for non-existing user: $groupby1 Tags: ZTNA, Login, BruteForce, DoS
ZTNA Login Anomaly Detection	Detects various suspicious login scenarios in ZTNA environments. Enabled by default Rule 1: Authentication to Multiple Services Failed Triggers an alert when a user has failed authentications to three or more services within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log messages that match all of the following filters: Data Source Type = FortiAuthenticator Event Sub Type = Authentication Event Profile contains AUTH_FAIL UEBA User ID > 1024 Message: Authentication to multiple services failed for user: $groupby1 Tags: ZTNA, Login, PrivilegeEscalation Rule 2: Successful Authentication from Multiple Geo Locations Triggers an alert when a user has successful authentication from three or more unique geo locations within 10 minutes. Alert Severity: Critical Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Message: Suspicious successful authentication from multiple geo locations for user: $groupby1 Tags: ZTNA, Login, Geo, ImpossibleTravel Rule 3: Successful Authentication from Multiple Endpoints Triggers an alert when a user has successful authentication from five or more different host_IPs within 10 minutes. Alert Severity: High Log Device Type: Fabric Log Type: Normalized Log Field: User ID, Host Name Log Filter by Text: `data_sourcetype = 'FortiAuthenticator' and euid > 1024 and ((event_subtype = 'User' and event_profile = 'SAML_IDP_PORTAL_LOGIN') or (event_subtype = 'Authentication' and event_profile ~ 'AUTH_OK'))` Message: Suspicious successful authentication from multiple endpoints for user: $groupby1 to host $groupby2 Tags: ZTNA, Login, LateralMovement Rule 4: Successful Authentication from Sanctioned Countries Triggers an alert when a user has at least one successful authentication from sanctioned countries within 10 minutes. Alert Severity: Medium Log Device Type: Fabric Log Type: Normalized Log Field: User ID Log Filter by Text: data_sourcetype='FortiAuthenticator' and euid>1024 and ((event_subtype='User' and event_profile='SAML_IDP_PORTAL_LOGIN') or (event_subtype='Authentication' and event_profile~'AUTH_OK')) and (src_geo_country='Russian Federation' or src_geo_country='Belarus' or src_geo_country='Iraq' or src_geo_country='Sri Lanka' or src_geo_country='Central African Republic' or src_geo_country='Syrian Arab Republic' or src_geo_country='Libyan Arab Jamahiriya' or src_geo_country='Korea, Democratic People\'s Republic of' or src_geo_country='Nicaragua' or src_geo_country='China' or src_geo_country~'Iran' or src_geo_country='Venezuela' or src_geo_country='Yemen' or src_geo_country='Lebanon' or src_geo_country='Myanmar' or src_geo_country~'Sudan' or src_geo_country~'Moldova' or src_geo_country~'Congo' or src_geo_country='Guatemala' or src_geo_country='Ukraine' or src_geo_country='Haiti' or src_geo_country='Somalia' or src_geo_country='Zimbabwe') Message: Successful authentication from sanctioned countries for user: $groupby1 Tags: ZTNA, Login, Geo, PolicyViolation, Compliance

Below are examples of raw logs that would trigger the associated default alert handler.

Default Alert Handler	Example Log
Local Device Event	id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163
Default-Compromised Host-Detection-by IOC-By-Threat	date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat	date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011
Default_NOC_Routing_Events	date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system alerts

FortiOS predefined system alert handlers are consolidated into a single alert handler with multiple rules called Default-FOS-System-Events.

Alerts are organized by device in the Incidents & Alerts dashboards, which can be expanded to view all related alerts.

Default-FOS-System-Events rules apply tags to each alert, allowing you to identify which Default-FOS-System-Events rule triggered the alert.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Predefined basic alert handlers