Default event views
FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree.
Default views are organized into three view categories, including:
- By Endpoint: Provides security event views from an endpoint perspective.
- By Threat: Provides security event views from a threat perspective.
- System Events: Provides event views which cover device system events.
In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:
View category | Default view |
Required predefined event handler |
---|---|---|
By Endpoint | All Security Events |
Displays all events within category with enabled handlers |
Compromised Hosts |
Default-Botnet-Communication-Detection-By-Endpoint Default-Compromised Host-Detection-IOC-By-Endpoint |
|
High Risk App Usage |
Default-Risky-App-Detection-By-Endpoint |
|
Malicious Domain/URL Access |
Default-Risky-Destination-Detection-By-Endpoint |
|
Malware Activity |
Default-Sandbox-Detections-By-Endpoint Default-Malicious-File-Detection-By-Endpoint |
|
Ongoing Intrusions |
Default-Malicious-Code-Detection-By-Endpoint |
|
Sandbox Detections |
Default-Sandbox-Detections-By-Endpoint |
|
By Threat
|
All Security Events |
Displays all events within category with enabled handlers |
C&C Call Backs |
Default-Botnet-Communication-Detection-By-Threat Default-Compromised Host-Detection-IOC-By-Threat |
|
High Risk App Usage |
Default-Risky-App-Detection-By-Threat |
|
Malicious Domain/URL Access |
Default-Risky-Destination-Detection-By-Threat |
|
Malware Activity |
Default-Sandbox-Detections-By-Threat Default-Malicious-File-Detection-By-Threat |
|
Ongoing Intrusions |
Default-Malicious-Code-Detection-By-Threat |
|
Sandbox Detections |
Default-Sandbox-Detections-By-Threat |
|
System Events
|
All |
Displays all events within category with enabled handlers |
FortiGate |
Default FOS System Events |
|
Local Device |
Local Device Event |
You can see the tags associated with each view by hovering your mouse over the view in FortiSoC/Incidents & Events; a pop-up is displayed.
Default views can be hidden or disabled. For more information, see Managing default views.
Admins can copy existing views to create custom views. For more information, see Creating custom views.