Event handlers
Basic event handlers and correlation event handlers determine what events are generated from logs.
For basic event handlers, an event is generated when one of the rules in the event handler is met. Each rule in the basic event handler has an OR relationship with the others.
For correlation event handlers, an event is generated when a set of rules are met in correlation sequence. For correlation handlers, you can define both the rules and the operators (AND, AND_NOT, OR, FOLLOWED_BY, and NOT_FOLLOWED_BY).
There are predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed. Some predefined event handlers are disabled by default, but you can enable them from the GUI.
You can also create your own custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings.
Data selectors and notification profiles are configured separately from event handlers, and then selected as part of configuring predefined or custom event handlers as needed. Data selectors determine which devices, subnets, and filters to use for the handler, and notification profiles determine if and where to send alert notifications when an event is generated by the handler. These groupings promote reusability, which results in increased efficiency and a reduction in human error when configuring event handlers.
When ADOMs are enabled, each ADOM has its own event handlers and list of events. Ensure you are in the correct ADOM when working in Incidents & Events. You can import and export the event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMs or FortiAnalyzer units, if needed.
Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs. In an Analyzer–Collector collaboration scenario, the Analyzer evaluates the event handlers. For more information, see Analyzer–Collector collaboration. |
In Incidents & Events > Handlers, you can manage the Data Selectors, Notification Profiles, Basic Handlers, and Correlation Handlers separately.
In this section, you will find the following topics:
- Predefined event handlers
- Predefined correlation handlers
- Creating data selectors
- Creating notification profiles
- Creating a custom event handler
- Creating a custom correlation handler
- Using the Automation Stitch for event handlers
- Using the Generic Text Filter
- Managing event handlers
- Enabling event handlers
- Cloning event handlers
- Resetting predefined event handlers to factory defaults
- Importing and exporting event handlers