Understanding event statuses – FortiAnalyzer – FortiOS 6.2.3

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzerto choose is selected, the event status for UTM events is applied based on the following:

Event status   Description
Unhandled   The security event risk is not mitigated or contained, so it is considered open.

Example: an IPS/AV log with action=pass will have the event status Unhandled.

Botnet and IoC events are also considered Unhandled.

Contained   The risk source is isolated.

Example: an AV log with action=quarantine will have the event status Contained.

Mitigated   The security risk is mitigated by being blocked or dropped.
Event status Description
  Example: an IPS/AV log with action=block/drop will have the event status Mitigated.
(Blank) Other scenarios.
This entry was posted in Administration Guides, FortiAnalyzer on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.