Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Security alarms

The Security Alarms view displays alarms that are created when an incoming security event satisfies a trigger and activates a rule. The list is updated as alarms are created. Alarms may be created with an associated action from the matched rule. The action may have been taken automatically, or can be taken manually from the view. A user with the correct permissions may override the associated action when taking action manually. Actions may only be taken on an alarm once. You also have the ability to undo the associated action once it's been taken.

When you click a specific alarm, the details of the events that triggered the alarm appear in the Events tab. You can also create a new event rule based on the events in the list. The Actions Taken tab displays the actions that were taken for the alarm, the completion status, and whether they were successfully (if applicable).

Click Logs > Security Alarms. The Security Alarms view appears.

See Navigation and Filters for information on common navigation tools and data filters.

Settings

The fields listed in the table below are displayed in columns on the Security Alarms View based on the selections you make in the Settings window.

Field

Definition

Add Filter drop-down list

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update button

Displays the filtered data in the table.

Pause

Allows user to pause the Security Alarm view from updating with new alarms so specific alarms can be viewed more easily.

Security alarms

Host MAC

The MAC address for the host that triggered the alarm. Click the MAC address to open the Modify Host window where you can register the host and modify host details. See Add or modify a host.

Alarm Date

The date when the alarm was created.

Matched Rule

The name of the rule that created the alarm.

Action

The associated action from the rule when the alarm was created or the action was taken on the alarm. Users can click the action to open the Modify Security Action dialog window and modify the action. See Add or modify an action.

If an action is associated to an alarm but was not taken, and the action is then deleted from the Security Actions view, the action is disassociated from the alarm and users may take a new action on the alarm.

If an action was taken on an alarm, and the action is then deleted from the Security Actions view, the action remains visible but is not editable.

Action Taken Date

If an action was taken, shows the date when the action was taken.

Action Taken By

The user who manually took the action on the alarm.

Action Undone Date

If the action was undone, shows the date when the action was undone.

Action Undone By

The user who manually undid the action.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF or RTF formats.

Options

The Options button displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm, but has not been undone.

View Host

Opens the Modify Host window to view and update the details of the host that triggered the alarm. See Add or modify a host.

Right click options

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm. When the action is undone, the secondary task is performed on the host if enabled.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Host view.

Events tab

Event Date

The date when the event that triggered the alarm occurred.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event that triggered the alarm.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Right click options

View Details

Displays the details of the security event that triggered the alarm.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Host view.

Create Event Rule

Allows user to create a rule based on the selected events.

Actions taken tab

Action

The action that was taken on the alarm.

Completed

Indicates whether the action was completed.

Security alarms

The Security Alarms view displays alarms that are created when an incoming security event satisfies a trigger and activates a rule. The list is updated as alarms are created. Alarms may be created with an associated action from the matched rule. The action may have been taken automatically, or can be taken manually from the view. A user with the correct permissions may override the associated action when taking action manually. Actions may only be taken on an alarm once. You also have the ability to undo the associated action once it's been taken.

When you click a specific alarm, the details of the events that triggered the alarm appear in the Events tab. You can also create a new event rule based on the events in the list. The Actions Taken tab displays the actions that were taken for the alarm, the completion status, and whether they were successfully (if applicable).

Click Logs > Security Alarms. The Security Alarms view appears.

See Navigation and Filters for information on common navigation tools and data filters.

Settings

The fields listed in the table below are displayed in columns on the Security Alarms View based on the selections you make in the Settings window.

Field

Definition

Add Filter drop-down list

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters.

Update button

Displays the filtered data in the table.

Pause

Allows user to pause the Security Alarm view from updating with new alarms so specific alarms can be viewed more easily.

Security alarms

Host MAC

The MAC address for the host that triggered the alarm. Click the MAC address to open the Modify Host window where you can register the host and modify host details. See Add or modify a host.

Alarm Date

The date when the alarm was created.

Matched Rule

The name of the rule that created the alarm.

Action

The associated action from the rule when the alarm was created or the action was taken on the alarm. Users can click the action to open the Modify Security Action dialog window and modify the action. See Add or modify an action.

If an action is associated to an alarm but was not taken, and the action is then deleted from the Security Actions view, the action is disassociated from the alarm and users may take a new action on the alarm.

If an action was taken on an alarm, and the action is then deleted from the Security Actions view, the action remains visible but is not editable.

Action Taken Date

If an action was taken, shows the date when the action was taken.

Action Taken By

The user who manually took the action on the alarm.

Action Undone Date

If the action was undone, shows the date when the action was undone.

Action Undone By

The user who manually undid the action.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF or RTF formats.

Options

The Options button displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm, but has not been undone.

View Host

Opens the Modify Host window to view and update the details of the host that triggered the alarm. See Add or modify a host.

Right click options

Take Action

User can manually take action on the selected alarm, if action has not already been taken.

Undo Action

User can undo an action if the action has been taken on the selected alarm. When the action is undone, the secondary task is performed on the host if enabled.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Host view.

Events tab

Event Date

The date when the event that triggered the alarm occurred.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event that triggered the alarm.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Right click options

View Details

Displays the details of the security event that triggered the alarm.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event. See Add or modify a host.

View in Host View

Opens the host in Host View. See Host view.

Create Event Rule

Allows user to create a rule based on the selected events.

Actions taken tab

Action

The action that was taken on the alarm.

Completed

Indicates whether the action was completed.