Fortinet black logo

Administration Guide

Creating data selectors

Creating data selectors

Data selectors are used to select devices, subnets, and filters for event handlers. You can create, edit, clone, and delete data selectors in Incidents & Events > Handlers > Data Selectors.

To assign a data selector to a basic event handler, see Creating a custom event handler.

To assign a data selector to a correlation handler, see Creating a custom correlation handler.

Note

The filters in the data selector are applied before every rule configured in the event handler. This means the filter criteria does not need to be added individually within each rule of the event handler(s) that the data selector is assigned to.

There are five default data selectors:

  • Default Intrusion Selector For Malicious Code Detection

  • Default IP Scanning Selector For Recon Activity Detection

  • Default Local Device Selector

  • Default Malicious File Selector For Malicious File Detection

  • Default Risky App Selector for Risky App Detection

These default data selectors are used in some of the predefined handlers, and they cannot be edited or deleted.

To create a data selector:
  1. Go to Incidents & Events > Handlers > Data Selectors.
  2. Click Create New.

    The Add New Data Selector pane displays.

  3. Configure the following options, and click OK to save the data selector.

    Option

    Description

    Name

    Enter a name for the data selector.

    DevicesSelect one of the following:
    • All Devices.
    • Specify: Select the devices to include.
    • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

      For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

    SubnetsSelect All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events. For more information, see Subnets.
    Filters

    Click plus (+) to insert a new filter in the list. The Filter dialog displays. Configure the options and click OK to save.

    To delete a filter from the list, click the x next to the filter.

    Name

    Enter a name for the filter.

    Log Device Type

    Select the device type from the dropdown.

    Log Type

    Select a log type from the dropdown. The log types will vary depending on the device type.

    Log Subtype

    Select a log subtype from the dropdown. The log subtype is not available for all device types.

    Logs match

    Select All or Any of the following conditions.

    Click plus (+) to insert a new condition. You can insert multiple conditions.

    Configure the condition(s):

    • Log Field: Select a log field from the dropdown.

    • Match Criteria: Select an operator from the dropdown.

    • Value: Select the event type from the dropdown.

    To delete a condition, click the delete icon next to the condition.

    Generic Text Filter

    (Optional) Enter a filter string. For more information, see Using the Generic Text Filter.

Creating data selectors

Data selectors are used to select devices, subnets, and filters for event handlers. You can create, edit, clone, and delete data selectors in Incidents & Events > Handlers > Data Selectors.

To assign a data selector to a basic event handler, see Creating a custom event handler.

To assign a data selector to a correlation handler, see Creating a custom correlation handler.

Note

The filters in the data selector are applied before every rule configured in the event handler. This means the filter criteria does not need to be added individually within each rule of the event handler(s) that the data selector is assigned to.

There are five default data selectors:

  • Default Intrusion Selector For Malicious Code Detection

  • Default IP Scanning Selector For Recon Activity Detection

  • Default Local Device Selector

  • Default Malicious File Selector For Malicious File Detection

  • Default Risky App Selector for Risky App Detection

These default data selectors are used in some of the predefined handlers, and they cannot be edited or deleted.

To create a data selector:
  1. Go to Incidents & Events > Handlers > Data Selectors.
  2. Click Create New.

    The Add New Data Selector pane displays.

  3. Configure the following options, and click OK to save the data selector.

    Option

    Description

    Name

    Enter a name for the data selector.

    DevicesSelect one of the following:
    • All Devices.
    • Specify: Select the devices to include.
    • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

      For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

    SubnetsSelect All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events. For more information, see Subnets.
    Filters

    Click plus (+) to insert a new filter in the list. The Filter dialog displays. Configure the options and click OK to save.

    To delete a filter from the list, click the x next to the filter.

    Name

    Enter a name for the filter.

    Log Device Type

    Select the device type from the dropdown.

    Log Type

    Select a log type from the dropdown. The log types will vary depending on the device type.

    Log Subtype

    Select a log subtype from the dropdown. The log subtype is not available for all device types.

    Logs match

    Select All or Any of the following conditions.

    Click plus (+) to insert a new condition. You can insert multiple conditions.

    Configure the condition(s):

    • Log Field: Select a log field from the dropdown.

    • Match Criteria: Select an operator from the dropdown.

    • Value: Select the event type from the dropdown.

    To delete a condition, click the delete icon next to the condition.

    Generic Text Filter

    (Optional) Enter a filter string. For more information, see Using the Generic Text Filter.