Fortinet black logo

Administration Guide

Event handlers

Event handlers

Basic event handlers and correlation event handlers determine what events are generated from logs.

For basic event handlers, an event is generated when one of the rules in the event handler is met. Each rule in the basic event handler has an OR relationship with the others.

For correlation event handlers, an event is generated when a set of rules are met in correlation sequence. For correlation handlers, you can define both the rules and the operators (AND, AND_NOT, OR, FOLLOWED_BY, and NOT_FOLLOWED_BY).

There are predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed. Some predefined event handlers are disabled by default, but you can enable them from the GUI.

You can also create your own custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings.

Data selectors and notification profiles are configured separately from event handlers, and then selected as part of configuring predefined or custom event handlers as needed. Data selectors determine which devices, subnets, and filters to use for the handler, and notification profiles determine if and where to send alert notifications when an event is generated by the handler. These groupings promote reusability, which results in increased efficiency and a reduction in human error when configuring event handlers.

When ADOMs are enabled, each ADOM has its own event handlers and list of events. Ensure you are in the correct ADOM when working in FortiSoC/Incidents & Events. You can import and export the event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMs or FortiAnalyzer units, if needed.

Note

Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.

In an Analyzer–Collector collaboration scenario, the Analyzer evaluates the event handlers. For more information, see Analyzer–Collector collaboration.

In FortiSoC/Incidents & Events > Handlers, you can manage the Data Selector List, Notification Profile List, Event Handler List, and Correlation Handler List separately.

In this section, you will find the following topics:

Related Videos

sidebar video

Event Handler - Additional Info & Customization

  • 1,002 views
  • 5 years ago

Event handlers

Basic event handlers and correlation event handlers determine what events are generated from logs.

For basic event handlers, an event is generated when one of the rules in the event handler is met. Each rule in the basic event handler has an OR relationship with the others.

For correlation event handlers, an event is generated when a set of rules are met in correlation sequence. For correlation handlers, you can define both the rules and the operators (AND, AND_NOT, OR, FOLLOWED_BY, and NOT_FOLLOWED_BY).

There are predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed. Some predefined event handlers are disabled by default, but you can enable them from the GUI.

You can also create your own custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings.

Data selectors and notification profiles are configured separately from event handlers, and then selected as part of configuring predefined or custom event handlers as needed. Data selectors determine which devices, subnets, and filters to use for the handler, and notification profiles determine if and where to send alert notifications when an event is generated by the handler. These groupings promote reusability, which results in increased efficiency and a reduction in human error when configuring event handlers.

When ADOMs are enabled, each ADOM has its own event handlers and list of events. Ensure you are in the correct ADOM when working in FortiSoC/Incidents & Events. You can import and export the event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMs or FortiAnalyzer units, if needed.

Note

Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.

In an Analyzer–Collector collaboration scenario, the Analyzer evaluates the event handlers. For more information, see Analyzer–Collector collaboration.

In FortiSoC/Incidents & Events > Handlers, you can manage the Data Selector List, Notification Profile List, Event Handler List, and Correlation Handler List separately.

In this section, you will find the following topics: