Fortinet black logo

Examples

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Event handler example scenarios

Event handler example scenarios

Custom event handler example

Event handlers can be created to trigger events based on a variety of conditions. By viewing logs in a raw format, you can identify notable log fields and apply corresponding filters in event handlers so that similar logs will trigger an event. For more information on viewing raw logs in FortiAnalyzer, see the FortiAnalyzer Administration Guide.

In this scenario, information from the following raw log is used to create a custom event handler.

date="2020-08-02" time="09:49:57" id=6856321710715568162 bid=8050516 dvid=1039 itime=1596361797 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0100026477" type="virus" subtype="infected" pri="information" from="qa200@qa.ca" to="user10@6.ca" src="172.20.140.108" session_id="s7Q4T9no026475-s7Q4T9pw026475" msg="The file virus_samples/sandbox/1385973112552098.172.16.92.92.3 is infected with W32/DomaIQ.AN!tr." device_id="FE-2KB3R09690010" vd="root" devname="FE-2KB3R09690010"

This log contains information about malware detected by FortiMail. Two notable fields are the log type, type=virus, and the subtype, subtype=infected.

Using this information, you can create an event handler which identifies these fields and generates an alert whenever FortiMail logs include these definitions, indicating the presence of an infection.

To create the custom event handler:
  1. Go to FortiSoC > Handlers > Event Handler List, and click Create New.
  2. Enter a name and description (optional) for the event handler.
  3. For Devices, select your FortiMail device, and for Subnets select All Subnets.
  4. Configure a filter with the following information:
    1. Log Device Type: FortiMail
    2. Log Type: Antivirus Log (virus)
    3. Group By: Device ID
    4. Logs match: All
    5. Log Field: Subtype (subtype) Equal To Infected.

    The remaining settings can be left in their default state. Click OK to save the event handler.

When enabled, logs from the selected FortiMail device which include the Log Type: virus and Sub Type: Infected will generate an event.

Predefined event handler example

In addition to custom event handlers, FortiAnalyzer includes predefined event handlers. Below are example logs that will trigger predefined event handlers when enabled.

These examples use the Generic Text filter field to include specific log information, such as logid="0422016400, in the event handler filters.

Default-Compromised Host-Detection-by IOC-By-Threat:

Example log:

date="2020-10-02" time="12:54:41" id=6879113766412222465 bid=152167 dvid=1046 itime=1601668486 euid=3 epid=1072 dsteuid=3 dstepid=101 logflag=1 logver=604021723 type="traffic" subtype="forward" level="notice" action="close" policyid=5 sessionid=2126025 srcip="10.200.1.8" dstip="148.81.111.122" srcport=34094 dstport=80 trandisp="noop" duration=1 proto=6 sentbyte=346 rcvdbyte=397 sentpkt=5 rcvdpkt=5 logid="0000000013" srcname="LAN-FSW-GUEST" service="HTTP" app="HTTP" appcat="unscanned" srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy" eventtime=1601668481582497121 srcuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6" dstuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6" poluuid="528f5f54-0343-51eb-bae9-3c63f22ce0df" srcmac="00:03:93:6d:8f:fd" mastersrcmac="00:03:93:6d:8f:fd" srchwvendor="Apple" osname="Linux" srccountry="Reserved" dstcountry="Poland" srcintf="vsw.port5" dstintf="port1" tdinfoid=7317936224723035242 tdtype="infected-ip" tdscantime=1601668440 tdthreattype=0 tdthreatname=2 tdwfcate=0 tz="-0700" devid="FGVM02TM20001234" vd="root" devname="Enterprise_Second_Floor"

The above example log triggers Filter 1 in the Default-Compromised Host-Detection-by IOC-By-Threat event handler:

Default-Botnet-Communication-Detection-By-Threat:

Example log:

date="2020-10-02" time="12:44:16" id=6879111064877793339 bid=151784 dvid=1043 itime=1601667857 euid=3 epid=1083 dsteuid=3 dstepid=101 logflag=16 logver=604021723 type="utm" subtype="ips" level="warning" action="dropped" sessionid=4398915 srcip="10.100.91.100" dstip="103.226.154.43" srcport=8725 dstport=80 attackid=7630075 severity="critical" proto=6 logid="0422016400" service="HTTP" eventtime=1601667857379929845 policyid=13 crscore=50 craction=4 crlevel="critical" srcintfrole="lan" dstintfrole="wan" direction="outgoing" profile="default" srcintf="port3" dstintf="port1" ref="http://www.fortinet.com/be?bid=7630075" attack="BlackMoon" eventtype="botnet" srccountry="Reserved" msg="Botnet C&C Communication." tz="-0700" tdthreatname=20432 devid="FGVM02TM20001234" vd="root" devname="Enterprise_Core"

The above example log triggers Filter 8 in the Default-Botnet-Communication-Detection-By-Threat event handler:

Previous
Next

Event handler example scenarios

Custom event handler example

Event handlers can be created to trigger events based on a variety of conditions. By viewing logs in a raw format, you can identify notable log fields and apply corresponding filters in event handlers so that similar logs will trigger an event. For more information on viewing raw logs in FortiAnalyzer, see the FortiAnalyzer Administration Guide.

In this scenario, information from the following raw log is used to create a custom event handler.

date="2020-08-02" time="09:49:57" id=6856321710715568162 bid=8050516 dvid=1039 itime=1596361797 euid=1 epid=1 dsteuid=1 dstepid=1 log_id="0100026477" type="virus" subtype="infected" pri="information" from="qa200@qa.ca" to="user10@6.ca" src="172.20.140.108" session_id="s7Q4T9no026475-s7Q4T9pw026475" msg="The file virus_samples/sandbox/1385973112552098.172.16.92.92.3 is infected with W32/DomaIQ.AN!tr." device_id="FE-2KB3R09690010" vd="root" devname="FE-2KB3R09690010"

This log contains information about malware detected by FortiMail. Two notable fields are the log type, type=virus, and the subtype, subtype=infected.

Using this information, you can create an event handler which identifies these fields and generates an alert whenever FortiMail logs include these definitions, indicating the presence of an infection.

To create the custom event handler:
  1. Go to FortiSoC > Handlers > Event Handler List, and click Create New.
  2. Enter a name and description (optional) for the event handler.
  3. For Devices, select your FortiMail device, and for Subnets select All Subnets.
  4. Configure a filter with the following information:
    1. Log Device Type: FortiMail
    2. Log Type: Antivirus Log (virus)
    3. Group By: Device ID
    4. Logs match: All
    5. Log Field: Subtype (subtype) Equal To Infected.

    The remaining settings can be left in their default state. Click OK to save the event handler.

When enabled, logs from the selected FortiMail device which include the Log Type: virus and Sub Type: Infected will generate an event.

Predefined event handler example

In addition to custom event handlers, FortiAnalyzer includes predefined event handlers. Below are example logs that will trigger predefined event handlers when enabled.

These examples use the Generic Text filter field to include specific log information, such as logid="0422016400, in the event handler filters.

Default-Compromised Host-Detection-by IOC-By-Threat:

Example log:

date="2020-10-02" time="12:54:41" id=6879113766412222465 bid=152167 dvid=1046 itime=1601668486 euid=3 epid=1072 dsteuid=3 dstepid=101 logflag=1 logver=604021723 type="traffic" subtype="forward" level="notice" action="close" policyid=5 sessionid=2126025 srcip="10.200.1.8" dstip="148.81.111.122" srcport=34094 dstport=80 trandisp="noop" duration=1 proto=6 sentbyte=346 rcvdbyte=397 sentpkt=5 rcvdpkt=5 logid="0000000013" srcname="LAN-FSW-GUEST" service="HTTP" app="HTTP" appcat="unscanned" srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy" eventtime=1601668481582497121 srcuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6" dstuuid="2de7756a-0343-51eb-c0b5-0d5602c3ecc6" poluuid="528f5f54-0343-51eb-bae9-3c63f22ce0df" srcmac="00:03:93:6d:8f:fd" mastersrcmac="00:03:93:6d:8f:fd" srchwvendor="Apple" osname="Linux" srccountry="Reserved" dstcountry="Poland" srcintf="vsw.port5" dstintf="port1" tdinfoid=7317936224723035242 tdtype="infected-ip" tdscantime=1601668440 tdthreattype=0 tdthreatname=2 tdwfcate=0 tz="-0700" devid="FGVM02TM20001234" vd="root" devname="Enterprise_Second_Floor"

The above example log triggers Filter 1 in the Default-Compromised Host-Detection-by IOC-By-Threat event handler:

Default-Botnet-Communication-Detection-By-Threat:

Example log:

date="2020-10-02" time="12:44:16" id=6879111064877793339 bid=151784 dvid=1043 itime=1601667857 euid=3 epid=1083 dsteuid=3 dstepid=101 logflag=16 logver=604021723 type="utm" subtype="ips" level="warning" action="dropped" sessionid=4398915 srcip="10.100.91.100" dstip="103.226.154.43" srcport=8725 dstport=80 attackid=7630075 severity="critical" proto=6 logid="0422016400" service="HTTP" eventtime=1601667857379929845 policyid=13 crscore=50 craction=4 crlevel="critical" srcintfrole="lan" dstintfrole="wan" direction="outgoing" profile="default" srcintf="port3" dstintf="port1" ref="http://www.fortinet.com/be?bid=7630075" attack="BlackMoon" eventtype="botnet" srccountry="Reserved" msg="Botnet C&C Communication." tz="-0700" tdthreatname=20432 devid="FGVM02TM20001234" vd="root" devname="Enterprise_Core"

The above example log triggers Filter 8 in the Default-Botnet-Communication-Detection-By-Threat event handler:

Previous
Next