Fortinet white logo
Fortinet white logo

Administration Guide

Security events

Security events

Security events displays all incoming security events to FortiNAC that satisfy a security trigger. FortiNAC automatically reviews all security rules for each event. When an event satisfies a trigger associated with a rule, an alarm is created.

You can also create an event rule based on one or more security events in the list.

To view security events, go to Logs > Security Incidents > Events.

Settings

The fields listed in the table below are displayed in columns on the Security Events view based on the selections you make in the Settings window.

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters on page 1.

Update

Displays the filtered data in the table.

Pause

Allows user to pause the Security Event view from updating with new events so specific events can be viewed more easily.

Events

Event Date

The date when the event was received.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event was received.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF, or RTF formats.

Options

Options displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

View Details

Displays the details of the security event.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event.

Right click options

View Details

Displays the details of the security event.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event.

View in Host View

Opens the host in Host View.

Create Event Rule

Allows user to create a rule based on the selected events.

Add an event rule from security events

You can create security event rules directly from the Security Event view. This enables you to create security rules directly from security events as the events occur.

  1. Click Logs > Security Incidents > Events.
  2. Use the filters to locate the appropriate event.
  3. Select the event(s) you wish to use to create the rule. You can select multiple events at a time.
  4. Right-click and select Create Event Rule.
  5. Select the field(s) from the Available Fields column, and then click the right-arrow to add the fields to the Selected Fields column.
  6. Click OK.
  7. The Add Security Trigger window appears. The selected fields populate the trigger filter fields.
  8. Add the details of the trigger. See .
  9. Click OK.
  10. The Add Security Rule window appears.
  11. Add the details of the security rule. See .

The security rule is added to the list of rules in the Security Rules view.

Security events

Security events

Security events displays all incoming security events to FortiNAC that satisfy a security trigger. FortiNAC automatically reviews all security rules for each event. When an event satisfies a trigger associated with a rule, an alarm is created.

You can also create an event rule based on one or more security events in the list.

To view security events, go to Logs > Security Incidents > Events.

Settings

The fields listed in the table below are displayed in columns on the Security Events view based on the selections you make in the Settings window.

Field

Definition

Add Filter

Allows you to select a field from the current view to filter information. Select the field from the drop-down list, and then enter the information you wish to filter. See Filters on page 1.

Update

Displays the filtered data in the table.

Pause

Allows user to pause the Security Event view from updating with new events so specific events can be viewed more easily.

Events

Event Date

The date when the event was received.

Source IP

The IP address for the host that triggered the event.

Source MAC

The MAC address of the host that triggered the event.

Destination IP

The IP address of the host or device the source host was communicating with.

Alert Type

The type of security event was received.

Subtype

The subtype of the security event.

Severity

The severity of the event reported by the security appliance.

Threat ID

A unique identifying code supplied by the vendor for the specific type of threat or event that occurred.

Event Description

A description supplied by the security appliance of the event.

Location

The location of the source host is on the network. For example, this could be the SSID the host is connected to wirelessly, or the port the host is plugged into on a switch.

Buttons

Export

Use the Export option to export a list of selected hosts to CSV, Excel, PDF, or RTF formats.

Options

Options displays the same series of menu picks displayed when the right-mouse button is clicked on a selected alarm.

View Details

Displays the details of the security event.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event.

Right click options

View Details

Displays the details of the security event.

View Host

Opens the Modify Host window to view and update the details of the host associated with the selected security event.

View in Host View

Opens the host in Host View.

Create Event Rule

Allows user to create a rule based on the selected events.

Add an event rule from security events

You can create security event rules directly from the Security Event view. This enables you to create security rules directly from security events as the events occur.

  1. Click Logs > Security Incidents > Events.
  2. Use the filters to locate the appropriate event.
  3. Select the event(s) you wish to use to create the rule. You can select multiple events at a time.
  4. Right-click and select Create Event Rule.
  5. Select the field(s) from the Available Fields column, and then click the right-arrow to add the fields to the Selected Fields column.
  6. Click OK.
  7. The Add Security Trigger window appears. The selected fields populate the trigger filter fields.
  8. Add the details of the trigger. See .
  9. Click OK.
  10. The Add Security Rule window appears.
  11. Add the details of the security rule. See .

The security rule is added to the list of rules in the Security Rules view.