Fortinet white logo
Fortinet white logo

Administration Guide

Predefined event handlers

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Default-Compromised Host-Detection-by IOC-By-Threat

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: dstip
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, IP, C&C

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Hostname URL
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, URL

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: QNAME
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-Detection-By-Threat

Disabled by deafult

Filter 1:

  • Event Severity: Medium
  • Log Type: DLP
  • Group by: Filter Category, Source Endpoint
  • Tags: Signature, Leak

Filter 2:

  • Event Severity: Low
  • Log Type: DLP
  • Group by: Filter Category
  • Event Status: Mitigated
  • Tags: Signature, Leak

Default-Sandbox-Detections-By-Endpoint

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235 or logid==0211009237
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234 or logid==0211009236
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious
  • Tags: By_Endpoint, Sandbox, Malware

Local Device Event

Available only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Event Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Device ID
  • Log messages that match the following conditions:
    • Level Equal To Emergency
  • Tags: System, Local

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

Tooltip

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

Predefined event handlers

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Default-Compromised Host-Detection-by IOC-By-Threat

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: dstip
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, IP, C&C

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Hostname URL
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, URL

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: QNAME
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-Detection-By-Threat

Disabled by deafult

Filter 1:

  • Event Severity: Medium
  • Log Type: DLP
  • Group by: Filter Category, Source Endpoint
  • Tags: Signature, Leak

Filter 2:

  • Event Severity: Low
  • Log Type: DLP
  • Group by: Filter Category
  • Event Status: Mitigated
  • Tags: Signature, Leak

Default-Sandbox-Detections-By-Endpoint

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235 or logid==0211009237
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234 or logid==0211009236
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious
  • Tags: By_Endpoint, Sandbox, Malware

Local Device Event

Available only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Event Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Device ID
  • Log messages that match the following conditions:
    • Level Equal To Emergency
  • Tags: System, Local

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

Tooltip

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.