Default event views – FortiAnalyzer – FortiOS 6.2.3

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree. Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective. l System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category           Default view Required predefined event handler
By Endpoint All Security Events Displays all events within category with enabled handlers
Compromised Hosts Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage Default-Risky-App-Detection-By-Endpoint
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint
Malware Activity Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions Default-Malicious-Code-Detection-By-Endpoint
Sandbox Detections Default-Sandbox-Detections-By-Endpoint
By Threat All Security Events Displays all events within category with enabled handlers
C&C Call Backs Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage Default-Risky-App-Detection-By-Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Threat
Malware Activity Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions Default-Malicious-Code-Detection-By-Threat
Sandbox Detections Default-Sandbox-Detections-By-Threat
System Events All Displays all events within category with enabled handlers
FortiGate Default FOS System Events
Local Device Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.