Fortinet black logo

New Features

Home FortiAnalyzer 7.2.0 New Features
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Rule based event correlation 7.2.2

Rule based event correlation 7.2.2

In previous versions, event handlers could only be triggered when individual filters were matched. Rule based event correlation gives extra flexibility by triggering event handlers when a series of rules are met.

Usability is also enhanced with the introduction of data selectors and notification profiles. You can define devices, log filters, and notification parameters that can be used across multiple event handlers without the need to re-create them individually in each event handler.

These features are configured in FortiSoC > Handlers. This pane now includes a Data Selector List, Notification Profile List, Event Handler List, and Correlation Handler List.

The following is available in this topic:

Data selectors

Data selectors are used to select devices, subnets, and filters (previously known as "pre-filters") for event handlers. You can create, edit, clone, and delete data selectors in FortiSoC > Handlers > Data Selector List.

There are five default data selectors:

  • Default Intrusion Selector For Malicious Code Detection

  • Default IP Scanning Selector For Recon Activity Detection

  • Default Local Device Selector

  • Default Malicious File Selector For Malicious File Detection

  • Default Risky App Selector for Risky App Detection

These default data selectors are used in some of the predefined event handlers, and they cannot be edited or deleted.

When configuring a data selector, you must specify:

  • Devices

  • Subnets

  • Filters

Note

The filters in data selectors are applied before every rule configured in the event handler. As a result, the filters do not need to be configured individually within each rule of the event handler(s) that the data selector is assigned to.

Once configured, the data selectors can be applied to basic event handlers and correlation event handlers, where needed.

Notification profiles

Notification profiles determine if and where an event handler sends an alert notification when generating an event. You can create, edit, clone, and delete notification profiles in FortiSoC > Handlers > Notification Profile List.

You can configure the notification profile to send the alert to an email address, SNMP community, and/or syslog server. You can also configure the notification profile to send the alert through a fabric connector.

Similar to data selectors, notification profiles can be assigned to basic event handlers and correlation event handlers, where needed.

Event handlers

You can create, edit, clone, delete, and import/export basic event handlers in FortiSoC > Handlers > Event Handler List.

When creating and editing an event handler, you can assign a data selector and notification profile.

You can also configure the event handler rules according to your needs.

Note

The event handler "rules" were previously known as "filters".

The Automation Stitch option is now available when configuring event handlers. Events triggered from event handlers with the automation stitch enabled are pushed to the FortiGate for further processing. These events can be viewed in the FortiAnalyzer GUI as well. For example, see the predefined event handler below with Automation Stitch enabled.

An Automation Stitch column is added in the Event Handler List to identify which event handlers have the automation stitch enabled.

Correlation handlers

You can create, edit, clone, delete, and import/export correlation event handlers in FortiSoC > Handlers > Correlation Handler List.

There are three default correlation handlers:

  • Default-Brute-Force-Account-Login-Attack-FAZ

  • Default-Brute-Force-Account-Login-Attack-FGT

  • Default-Suspicious-Traffic-From-Infected-Endpoint

These correlation handlers are disabled by default. Some of their settings can be edited, and they can be enabled according to your needs. To enable the correlation handlers, as they are in the image below, select the correlation handler and click More > Enable.

Similar to basic event handlers, you can assign a data selector and notification profile to the correlation event handler. You can also enable the Automation Stitch, if needed.

When configuring rules for the correlation event handler, you must also configure a correlation sequence and correlation criteria for those rules. For example, see the default correlation handler below.

When creating a new correlation handler, you can add rules using the plus (+) icon in the Correlation Sequence section.

You can configure the same options in a rule for a correlation handler as in a basic event handler. For example, see a rule from the default correlation handler below.

Rules are added to the correlation sequence in the order that they are created. You can create the rules in the desired order for the sequence, or re-order them into the correlation sequence after they are created. After creating the rules, use the dropdown to select other rules created in the correlation handler, thereby changing the sequence order.

All rules must be met in correlation sequence to generate an event. You can select from the following options to set the relationship between each rule in sequence:

  • AND
  • AND_NOT
  • OR
  • FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
  • NOT_FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)

You can edit or delete rules within the correlation sequence by using the icons next to the rule. Alternatively, you can click the edit icon in the rule dropdown to edit its settings.

In the Correlation Criteria section, you can specify the fields that the event handler will look for to correlate the rules. You can add multiple correlation criteria, if needed. Each correlation criteria is applied to two rules, using a field from each rule to correlate the two. The options available in the Field dropdown are determined by the Group By fields configured in the rules. For example, see the correlation criteria from the default correlation handler.

Events generated from both basic event handlers and correlation event handlers appear in FortiSoC > Event Monitor.

Previous
Next

Rule based event correlation 7.2.2

In previous versions, event handlers could only be triggered when individual filters were matched. Rule based event correlation gives extra flexibility by triggering event handlers when a series of rules are met.

Usability is also enhanced with the introduction of data selectors and notification profiles. You can define devices, log filters, and notification parameters that can be used across multiple event handlers without the need to re-create them individually in each event handler.

These features are configured in FortiSoC > Handlers. This pane now includes a Data Selector List, Notification Profile List, Event Handler List, and Correlation Handler List.

The following is available in this topic:

Data selectors

Data selectors are used to select devices, subnets, and filters (previously known as "pre-filters") for event handlers. You can create, edit, clone, and delete data selectors in FortiSoC > Handlers > Data Selector List.

There are five default data selectors:

  • Default Intrusion Selector For Malicious Code Detection

  • Default IP Scanning Selector For Recon Activity Detection

  • Default Local Device Selector

  • Default Malicious File Selector For Malicious File Detection

  • Default Risky App Selector for Risky App Detection

These default data selectors are used in some of the predefined event handlers, and they cannot be edited or deleted.

When configuring a data selector, you must specify:

  • Devices

  • Subnets

  • Filters

Note

The filters in data selectors are applied before every rule configured in the event handler. As a result, the filters do not need to be configured individually within each rule of the event handler(s) that the data selector is assigned to.

Once configured, the data selectors can be applied to basic event handlers and correlation event handlers, where needed.

Notification profiles

Notification profiles determine if and where an event handler sends an alert notification when generating an event. You can create, edit, clone, and delete notification profiles in FortiSoC > Handlers > Notification Profile List.

You can configure the notification profile to send the alert to an email address, SNMP community, and/or syslog server. You can also configure the notification profile to send the alert through a fabric connector.

Similar to data selectors, notification profiles can be assigned to basic event handlers and correlation event handlers, where needed.

Event handlers

You can create, edit, clone, delete, and import/export basic event handlers in FortiSoC > Handlers > Event Handler List.

When creating and editing an event handler, you can assign a data selector and notification profile.

You can also configure the event handler rules according to your needs.

Note

The event handler "rules" were previously known as "filters".

The Automation Stitch option is now available when configuring event handlers. Events triggered from event handlers with the automation stitch enabled are pushed to the FortiGate for further processing. These events can be viewed in the FortiAnalyzer GUI as well. For example, see the predefined event handler below with Automation Stitch enabled.

An Automation Stitch column is added in the Event Handler List to identify which event handlers have the automation stitch enabled.

Correlation handlers

You can create, edit, clone, delete, and import/export correlation event handlers in FortiSoC > Handlers > Correlation Handler List.

There are three default correlation handlers:

  • Default-Brute-Force-Account-Login-Attack-FAZ

  • Default-Brute-Force-Account-Login-Attack-FGT

  • Default-Suspicious-Traffic-From-Infected-Endpoint

These correlation handlers are disabled by default. Some of their settings can be edited, and they can be enabled according to your needs. To enable the correlation handlers, as they are in the image below, select the correlation handler and click More > Enable.

Similar to basic event handlers, you can assign a data selector and notification profile to the correlation event handler. You can also enable the Automation Stitch, if needed.

When configuring rules for the correlation event handler, you must also configure a correlation sequence and correlation criteria for those rules. For example, see the default correlation handler below.

When creating a new correlation handler, you can add rules using the plus (+) icon in the Correlation Sequence section.

You can configure the same options in a rule for a correlation handler as in a basic event handler. For example, see a rule from the default correlation handler below.

Rules are added to the correlation sequence in the order that they are created. You can create the rules in the desired order for the sequence, or re-order them into the correlation sequence after they are created. After creating the rules, use the dropdown to select other rules created in the correlation handler, thereby changing the sequence order.

All rules must be met in correlation sequence to generate an event. You can select from the following options to set the relationship between each rule in sequence:

  • AND
  • AND_NOT
  • OR
  • FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)
  • NOT_FOLLOWED_BY (if selected, enter a time limit for the correlation to occur in)

You can edit or delete rules within the correlation sequence by using the icons next to the rule. Alternatively, you can click the edit icon in the rule dropdown to edit its settings.

In the Correlation Criteria section, you can specify the fields that the event handler will look for to correlate the rules. You can add multiple correlation criteria, if needed. Each correlation criteria is applied to two rules, using a field from each rule to correlate the two. The options available in the Field dropdown are determined by the Group By fields configured in the rules. For example, see the correlation criteria from the default correlation handler.

Events generated from both basic event handlers and correlation event handlers appear in FortiSoC > Event Monitor.

Previous
Next