Fortinet black logo

Administration Guide

Default event views

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree.

Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective.
  • System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category Default view

Required predefined event handler

By Endpoint All Security Events

Displays all events within category with enabled handlers

Compromised Hosts

Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage

Default-Risky-App-Detection-By-Endpoint

Malicious Domain/URL Access

Default-Risky-Destination-Detection-By-Endpoint

Malware Activity

Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions

Default-Malicious-Code-Detection-By-Endpoint

Sandbox Detections

Default-Sandbox-Detections-By-Endpoint

By Threat

All Security Events

Displays all events within category with enabled handlers

C&C Call Backs

Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage

Default-Risky-App-Detection-By-Threat

Malicious Domain/URL Access

Default-Risky-Destination-Detection-By-Threat

Malware Activity

Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions

Default-Malicious-Code-Detection-By-Threat

Sandbox Detections

Default-Sandbox-Detections-By-Threat

System Events

All

Displays all events within category with enabled handlers

FortiGate

Default FOS System Events

Local Device

Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in FortiSoC/Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree.

Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective.
  • System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category Default view

Required predefined event handler

By Endpoint All Security Events

Displays all events within category with enabled handlers

Compromised Hosts

Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage

Default-Risky-App-Detection-By-Endpoint

Malicious Domain/URL Access

Default-Risky-Destination-Detection-By-Endpoint

Malware Activity

Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions

Default-Malicious-Code-Detection-By-Endpoint

Sandbox Detections

Default-Sandbox-Detections-By-Endpoint

By Threat

All Security Events

Displays all events within category with enabled handlers

C&C Call Backs

Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage

Default-Risky-App-Detection-By-Threat

Malicious Domain/URL Access

Default-Risky-Destination-Detection-By-Threat

Malware Activity

Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions

Default-Malicious-Code-Detection-By-Threat

Sandbox Detections

Default-Sandbox-Detections-By-Threat

System Events

All

Displays all events within category with enabled handlers

FortiGate

Default FOS System Events

Local Device

Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in FortiSoC/Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.