Fortinet black logo

Administration Guide

Predefined correlation handlers

Predefined correlation handlers

FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Correlation Handler List. From the More dropdown, select Show Predefined.

The following predefined correlation handlers are available:

Event Handler

Description

Default-Brute-Force-Account-Login-Attack-FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiAnalyzer
Log Type Event Log
Group By Device ID
Log messages that match any of the following conditions: Operation Equal To login failed

Aggregate Expression:

COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login Success
Log Device Type FortiAnalyzer
Log Type Event Log
Group By Device ID
Log messages that match any of the following conditions: Operation Equal To login

Aggregate Expression:

COUNT >= 1

Correlation Criteria:

  • Login Failed 5 Times devid = Login Success devid

Default-Brute-Force-Account-Login-Attack-FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiGate
Log Type Event Log > System
Group By Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032002

Aggregate Expression:

COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login-Success
Log Device Type FortiGate
Log Type Event Log > System
Group By Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032001

Aggregate Expression:

COUNT >= 1

Correlation Criteria:

  • Login Failed 5 Times devid = Login-Success devid

Default-Suspicious-Traffic-From-Infected-Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

Disabled by default

Event Severity: Medium

Tags: CnC

Threshold Duration: 30 minutes

Correlation Sequence:

Logic Group 1

Traffic to Botnet CnC detected or blocked in virus log
Log Device Type FortiGate
Log Type Antivirus
Group By Source Endpoint
Log messages that match any of the following conditions:
  • Log ID Equal To 0202009248

  • Log ID Equal To 0202009249

Aggregate Expression:

COUNT >= 1

OR

Traffic to CnC detected
Log Device Type FortiGate
Log Type Traffic Log > Any
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

OR

Web traffic to CnC detected
Log Device Type FortiGate
Log Type Web Filter
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

OR

DNS traffic to CnC detected
Log Device Type FortiGate
Log Type DNS Log
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

FOLLOWED_BY, within 15m

Logic Group 2

Traffic from endpoint
Log Device Type FortiGate
Log Type Traffic Log > Any
Group By Source Endpoint
Log messages that match any of the following conditions:

Aggregate Expression:

SUM sentbyte >= 100 Mega Byte

Correlation Criteria:

  • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

  • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

  • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

  • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint

Predefined correlation handlers

FortiAnalyzer includes some predefined correlation event handlers that you can use to generate events.

If you wish to recieve notifications from a pedefined correlation handler, configure a notification profile and assign it to the correlation handler. See Creating notification profiles.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC/Incidents & Events > Handlers > Correlation Handler List. From the More dropdown, select Show Predefined.

The following predefined correlation handlers are available:

Event Handler

Description

Default-Brute-Force-Account-Login-Attack-FAZ

This handler is to detect if an account login failed many times not followed by a login success for FortiAnalyzer.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiAnalyzer
Log Type Event Log
Group By Device ID
Log messages that match any of the following conditions: Operation Equal To login failed

Aggregate Expression:

COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login Success
Log Device Type FortiAnalyzer
Log Type Event Log
Group By Device ID
Log messages that match any of the following conditions: Operation Equal To login

Aggregate Expression:

COUNT >= 1

Correlation Criteria:

  • Login Failed 5 Times devid = Login Success devid

Default-Brute-Force-Account-Login-Attack-FGT

This handler is to detect if an account login failed many times not followed by a login success for FortiGate.

Disabled by default

Event Severity: Medium

Tags: login, attack

Threshold Duration: 30 minutes

Correlation Sequence:

Login Failed 5 Times
Log Device Type FortiGate
Log Type Event Log > System
Group By Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032002

Aggregate Expression:

COUNT >= 5

NOT_FOLLOWED_BY, within 5m

Login-Success
Log Device Type FortiGate
Log Type Event Log > System
Group By Device ID
Log messages that match any of the following conditions: Log ID Equal To 0100032001

Aggregate Expression:

COUNT >= 1

Correlation Criteria:

  • Login Failed 5 Times devid = Login-Success devid

Default-Suspicious-Traffic-From-Infected-Endpoint

This handler is to detect if an endpoint is infected and there is a large traffic from the same endpoint.

Disabled by default

Event Severity: Medium

Tags: CnC

Threshold Duration: 30 minutes

Correlation Sequence:

Logic Group 1

Traffic to Botnet CnC detected or blocked in virus log
Log Device Type FortiGate
Log Type Antivirus
Group By Source Endpoint
Log messages that match any of the following conditions:
  • Log ID Equal To 0202009248

  • Log ID Equal To 0202009249

Aggregate Expression:

COUNT >= 1

OR

Traffic to CnC detected
Log Device Type FortiGate
Log Type Traffic Log > Any
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

OR

Web traffic to CnC detected
Log Device Type FortiGate
Log Type Web Filter
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

OR

DNS traffic to CnC detected
Log Device Type FortiGate
Log Type DNS Log
Group By Source Endpoint
Log messages that match any of the following conditions:

tdtype~infected

Aggregate Expression:

COUNT >= 1

FOLLOWED_BY, within 15m

Logic Group 2

Traffic from endpoint
Log Device Type FortiGate
Log Type Traffic Log > Any
Group By Source Endpoint
Log messages that match any of the following conditions:

Aggregate Expression:

SUM sentbyte >= 100 Mega Byte

Correlation Criteria:

  • Traffic to Botnet CnC detected or blocked in virus log endpoint = Traffic to CnC detected endpoint

  • Traffic to CnC detected endpoint = Web traffic to CnC detected endpoint

  • Web traffic to CnC detected endpoint = DNS traffic to CnC detected endpoint

  • DNS traffic to CnC detected endpoint = Traffic from endpoint endpoint