Category Archives: Administration Guides

Understanding event statuses – FortiAnalyzer – FortiOS 6.2.3

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzerto choose is selected, the event status for UTM events is applied based on the following:

Event status   Description
Unhandled   The security event risk is not mitigated or contained, so it is considered open.

Example: an IPS/AV log with action=pass will have the event status Unhandled.

Botnet and IoC events are also considered Unhandled.

Contained   The risk source is isolated.

Example: an AV log with action=quarantine will have the event status Contained.

Mitigated   The security risk is mitigated by being blocked or dropped.
Event status Description
  Example: an IPS/AV log with action=block/drop will have the event status Mitigated.
(Blank) Other scenarios.

Creating custom views – FortiAnalyzer – FortiOS 6.2.3

Creating custom views

To create a custom view:

  1. Go to Incidents & Events.
  2. Select an existing view to copy.
  3. Select Add Filters to add any additional filters you want to include in the custom view.
  4. Select the custom view icon on the top-right side of the toolbar.
  5. Enter a name for the custom view and assign it to one of the following categories:

l By Endpoint l By Threat l System Events l Custom View

  1. Select OK to save the view.

Once the custom view is created, you can modify it further by removing or adding filters. Modifications can be saved by selecting the custom view icon and choosing Save or Save As to save the changes as a new view.

Managing default views – FortiAnalyzer – FortiOS 6.2.3

Managing default views

Default views in the By Endpoint, By Threat, and System Events view categories can be hidden, disabled, or copied as a custom view, allowing you to display only the views that are useful to the user.

To hide default views:

  1. Go to Incidents & Events > Event Monitor.
  2. Select an event category.
  3. Right-click on an event view and select Hide.

To disable/enable default views:

  1. Go to Incidents & Events.
  2. Select the gearicon on the bottom of the navigation tree to access the Default Views
  3. Choose which views are displayed. Add a checkmark to enable the view; remove the check mark to disable the view.
  4. Select Save.

Viewing event details and Acknowledging Events – FortiAnalyzer

Viewing event details

In an event list, to view event details, double-click an event line to drill down for more details.

The event details page contains information about the event and a list of all individual logs. You can work on events using buttons in the toolbar or by right-clicking an event. l To change what columns to display, click Column Settings or Column Settings > More Columns. l In event details, to view raw logs, click Tools > Display Raw. l To switch back to formatted log view, click Tools > Formatted Log. l To return to the previous page, click the back button.

Acknowledging events

Acknowledging an event removes it from the event list. Click Show Acknowledged to view acknowledged events.

To acknowledge events:

l In the event list, select one or more events, then right-click and select Acknowledge.

Filtering events – FortiAnalyzer – FortiOS 6.2.3

Filtering events

You can filter events using the Add Filter box in the toolbar or by right-clicking an entry and selecting a context-sensitive filter.

Filter FortiView summaries using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter events using filters in the toolbar:

  • Specify filters in the Add Filter
  • Regular Search: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or

“or”.

  • Advanced Search: Click the Switch to Advanced Search icon at the end of the Add Filter In Advanced Search mode, enter the search criteria (log field names and values). Click the Switch to RegularSearch icon  to go back to regular search.

To filter events using the right-click menu:

In the event list, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

To launch Search in Logview from an event:

In the event list, right-click an entry and select Search in Logview.

Log View will launch with the filter automatically filled in with the following information:

  • Log type of the event
  • Time range (the first to the last occurrence of the event) l Event trigger and group by value

Default event views – FortiAnalyzer – FortiOS 6.2.3

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree. Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective. l System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category           Default view Required predefined event handler
By Endpoint All Security Events Displays all events within category with enabled handlers
Compromised Hosts Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage Default-Risky-App-Detection-By-Endpoint
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint
Malware Activity Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions Default-Malicious-Code-Detection-By-Endpoint
Sandbox Detections Default-Sandbox-Detections-By-Endpoint
By Threat All Security Events Displays all events within category with enabled handlers
C&C Call Backs Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage Default-Risky-App-Detection-By-Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Threat
Malware Activity Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions Default-Malicious-Code-Detection-By-Threat
Sandbox Detections Default-Sandbox-Detections-By-Threat
System Events All Displays all events within category with enabled handlers
FortiGate Default FOS System Events
Local Device Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.

Events – FortiAnalyzer – FortiOS 6.2.3

Events

After event handlers start generating events, view events and event details in Incidents & Events > Event Monitor.

When rebuilding the SQL database, you might not see a complete list of historical events. However, you can always see events in real-time logs. You can view the status of the SQL rebuild by checking the Rebuilding DB status in the Notification Center.

All Events

To view all the events, go to Incidents & Events > Event Monitor> All Events.

Double-click an event line to drill down for more details.

Hover your mouse over an entry to view the asset and identity information for that event.

Devices To view events for specific devices, click the devices dropdown and select a device.
Time Period To change the time period to display, click the time icon and specify a time period. Select Custom to specify a time period not in the dropdown list.
Collapse All/Expand All To view event summaries or details, click Collapse All or Expand All.
Show Acknowledged To include acknowledged events, click Show Acknowledged. See Acknowledging events on page 77.
Refresh To manually refresh the events data, click Refresh.

You can specify a refresh interval of Every 10 Seconds, Every 30 Seconds, Every 1 Minute, or Every 5 Minutes.

Export to CSV Download the events to a CSV file.
Custom View Save the current view including filter settings, device selection, and time period.
Column Settings Select which columns are displayed in the All Events pane. Columns not displayed by default include Acknowledged, Comment, Device ID, Device

Name, Device Type, Event ID, HandlerDescription, Last Occurrence, Tags, and VDOM Name.

Managing event handlers – FortiAnalyzer – FortiOS 6.2.3

Managing event handlers

To manage event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.

FortiAnalyzer includes predefined event handlers that you can use to generate events.

This page lists both predefined and custom event handlers with a  icon for enabled event handlers and a  icon for disabled event handlers.

The following options are available:

Option   Description
Create New   Create a new event handler.
Edit   Edit the selected event handler.

Some fields in predefined event handlers cannot be modified, such as the name, description and filter settings. However, you can clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.

Delete   Delete the selected event handler. You cannot delete predefined event handlers.
Clone   Clone the selected event handler. You can clone a predefined event handler and modify it to create a customized event handler.
Enable / Disable   Enable or disable the selected event handler to start or stop generating events on the Incidents & Events > Event Monitor> All Events page.
Option Description
Collapse All / Expand All Collapse or expand the Filters column.
Show Predefined Show or hide predefined handlers in the list.
Show Custom Show or hide custom handlers in the list.
Import / Export Export the selected event handlers or import an event handler you have exported. You can export one or more predefined or custom event handlers and import them into another ADOM or FortiAnalyzer.
Factory Reset If you have modified a predefined event handler, return the selected predefined event handler to its factory default settings.

Enabling event handlers

For both predefined and custom event handlers, you must enable the event handler to generate events. The Event

HandlerList page displays a  icon besides enabled event handlers and a  icon besides disabled event handlers.

If you want to receive alerts for predefined events handlers, edit the predefined event handler to configure notifications.

To enable event handlers:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. Select one or more event handlers and click More > Enable or right-click an event handler and select Enable.

Cloning event handlers

Most predefined event handler attributes cannot be modified, such as the name, description and filter settings. You can clone a predefined event handler and customize its settings, and give it a meaningful name that shows its function.

To clone a predefined event handler:

  1. Select a predefined event handler and in the toolbar, click Clone or right-click a predefined event handler and select Clone.
  2. Configure the settings as required and click OK. For a description of the fields, see Creating a custom event handler on page 64.
  3. Click OK to clone the predefined event handler.

Resetting event handlers to factory defaults

You can change predefined event handlers as needed. If required, you can restore predefined event handlers to factory default settings. The Factory Reset option is only available for predefined event handlers that have been changed.

To reset predefined event handlers:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. In the More menu, ensure Show Predefined is selected.
  3. Right-click an event handler and select Factory Reset or select one or more predefined event handlers and click More > Factory Reset.