Learn more about the traffic and applications that are going across your network and LEARN HOW TO TIGHTEN IT UP!
FortiGate Application Control in FortiOS 6.4.0
1 Reply
Category Archives: FortiOS
Viewing event details and Acknowledging Events – FortiAnalyzer
Viewing event details
In an event list, to view event details, double-click an event line to drill down for more details.
The event details page contains information about the event and a list of all individual logs. You can work on events using buttons in the toolbar or by right-clicking an event. l To change what columns to display, click Column Settings or Column Settings > More Columns. l In event details, to view raw logs, click Tools > Display Raw. l To switch back to formatted log view, click Tools > Formatted Log. l To return to the previous page, click the back button.
Acknowledging events
Acknowledging an event removes it from the event list. Click Show Acknowledged to view acknowledged events.
To acknowledge events:
l In the event list, select one or more events, then right-click and select Acknowledge.
Filtering events – FortiAnalyzer – FortiOS 6.2.3
Filtering events
You can filter events using the Add Filter box in the toolbar or by right-clicking an entry and selecting a context-sensitive filter.
Filter FortiView summaries using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.
To filter events using filters in the toolbar:
- Specify filters in the Add Filter
- Regular Search: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or
“or”.
- Advanced Search: Click the Switch to Advanced Search icon at the end of the Add Filter In Advanced Search mode, enter the search criteria (log field names and values). Click the Switch to RegularSearch icon to go back to regular search.
To filter events using the right-click menu:
In the event list, right-click an entry and select a filter criterion (Search <filtervalue>).
Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.
To launch Search in Logview from an event:
In the event list, right-click an entry and select Search in Logview.
Log View will launch with the filter automatically filled in with the following information:
- Log type of the event
- Time range (the first to the last occurrence of the event) l Event trigger and group by value
Default event views – FortiAnalyzer – FortiOS 6.2.3
Default event views
FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree. Default views are organized into three view categories, including:
- By Endpoint: Provides security event views from an endpoint perspective.
- By Threat: Provides security event views from a threat perspective. l System Events: Provides event views which cover device system events.
In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:
| View category Default view | Required predefined event handler | |
| By Endpoint | All Security Events | Displays all events within category with enabled handlers |
| Compromised Hosts | Default-Botnet-Communication-Detection-By-Endpoint
Default-Compromised Host-Detection-IOC-By-Endpoint |
|
| High Risk App Usage | Default-Risky-App-Detection-By-Endpoint | |
| Malicious Domain/URL Access | Default-Risky-Destination-Detection-By-Endpoint | |
| Malware Activity | Default-Sandbox-Detections-By-Endpoint
Default-Malicious-File-Detection-By-Endpoint |
|
| Ongoing Intrusions | Default-Malicious-Code-Detection-By-Endpoint | |
| Sandbox Detections | Default-Sandbox-Detections-By-Endpoint | |
| By Threat | All Security Events | Displays all events within category with enabled handlers |
| C&C Call Backs | Default-Botnet-Communication-Detection-By-Threat
Default-Compromised Host-Detection-IOC-By-Threat |
|
| High Risk App Usage | Default-Risky-App-Detection-By-Threat | |
| Malicious Domain/URL Access | Default-Risky-Destination-Detection-By-Threat | |
| Malware Activity | Default-Sandbox-Detections-By-Threat
Default-Malicious-File-Detection-By-Threat |
|
| Ongoing Intrusions | Default-Malicious-Code-Detection-By-Threat | |
| Sandbox Detections | Default-Sandbox-Detections-By-Threat | |
| System Events | All | Displays all events within category with enabled handlers |
| FortiGate | Default FOS System Events | |
| Local Device | Local Device Event | |
You can see the tags associated with each view by hovering your mouse over the view in Incidents & Events; a pop-up is displayed.
Default views can be hidden or disabled. For more information, see Managing default views.
Admins can copy existing views to create custom views. For more information, see Creating custom views.
Events – FortiAnalyzer – FortiOS 6.2.3
Events
After event handlers start generating events, view events and event details in Incidents & Events > Event Monitor.
When rebuilding the SQL database, you might not see a complete list of historical events. However, you can always see events in real-time logs. You can view the status of the SQL rebuild by checking the Rebuilding DB status in the Notification Center.
All Events
To view all the events, go to Incidents & Events > Event Monitor> All Events.
Double-click an event line to drill down for more details.
Hover your mouse over an entry to view the asset and identity information for that event.
| Devices | To view events for specific devices, click the devices dropdown and select a device. |
| Time Period | To change the time period to display, click the time icon and specify a time period. Select Custom to specify a time period not in the dropdown list. |
| Collapse All/Expand All | To view event summaries or details, click Collapse All or Expand All. |
| Show Acknowledged | To include acknowledged events, click Show Acknowledged. See Acknowledging events on page 77. |
| Refresh | To manually refresh the events data, click Refresh.
You can specify a refresh interval of Every 10 Seconds, Every 30 Seconds, Every 1 Minute, or Every 5 Minutes. |
| Export to CSV | Download the events to a CSV file. |
| Custom View | Save the current view including filter settings, device selection, and time period. |
| Column Settings | Select which columns are displayed in the All Events pane. Columns not displayed by default include Acknowledged, Comment, Device ID, Device
Name, Device Type, Event ID, HandlerDescription, Last Occurrence, Tags, and VDOM Name. |
Managing event handlers – FortiAnalyzer – FortiOS 6.2.3
Managing event handlers
To manage event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.
FortiAnalyzer includes predefined event handlers that you can use to generate events.
This page lists both predefined and custom event handlers with a icon for enabled event handlers and a icon for disabled event handlers.
The following options are available:
| Option | Description | |
| Create New | Create a new event handler. | |
| Edit | Edit the selected event handler.
Some fields in predefined event handlers cannot be modified, such as the name, description and filter settings. However, you can clone a predefined event handler and customize its settings. See Cloning event handlers on page 69. |
|
| Delete | Delete the selected event handler. You cannot delete predefined event handlers. | |
| Clone | Clone the selected event handler. You can clone a predefined event handler and modify it to create a customized event handler. | |
| Enable / Disable | Enable or disable the selected event handler to start or stop generating events on the Incidents & Events > Event Monitor> All Events page. | |
| Option | Description | |
| Collapse All / Expand All | Collapse or expand the Filters column. | |
| Show Predefined | Show or hide predefined handlers in the list. | |
| Show Custom | Show or hide custom handlers in the list. | |
| Import / Export | Export the selected event handlers or import an event handler you have exported. You can export one or more predefined or custom event handlers and import them into another ADOM or FortiAnalyzer. | |
| Factory Reset | If you have modified a predefined event handler, return the selected predefined event handler to its factory default settings. | |
Enabling event handlers
For both predefined and custom event handlers, you must enable the event handler to generate events. The Event
HandlerList page displays a icon besides enabled event handlers and a icon besides disabled event handlers.
If you want to receive alerts for predefined events handlers, edit the predefined event handler to configure notifications.
To enable event handlers:
- Go to Incidents & Events > Event Monitor> Event HandlerList.
- Select one or more event handlers and click More > Enable or right-click an event handler and select Enable.
Cloning event handlers
Most predefined event handler attributes cannot be modified, such as the name, description and filter settings. You can clone a predefined event handler and customize its settings, and give it a meaningful name that shows its function.
To clone a predefined event handler:
- Select a predefined event handler and in the toolbar, click Clone or right-click a predefined event handler and select Clone.
- Configure the settings as required and click OK. For a description of the fields, see Creating a custom event handler on page 64.
- Click OK to clone the predefined event handler.
Resetting event handlers to factory defaults
You can change predefined event handlers as needed. If required, you can restore predefined event handlers to factory default settings. The Factory Reset option is only available for predefined event handlers that have been changed.
To reset predefined event handlers:
- Go to Incidents & Events > Event Monitor> Event HandlerList.
- In the More menu, ensure Show Predefined is selected.
- Right-click an event handler and select Factory Reset or select one or more predefined event handlers and click More > Factory Reset.
Using the Generic Text Filter in an event handler – FortiAnalyzer – FortiOS 6.2.3
Using the Generic Text Filter in an event handler
The Generic Text Filter uses the glibc regex library for values with operators (~,!~), using the POSIX standard. Filter string syntax is parsed by FortiAnalyzer, and both upper and lower case characters are supported (for example “and” is the same as “AND”). You must use an escape character when needed. For example, cfgpath=firewall.policy is the wrong syntax because it’s missing an escape character. The correct syntax is cfgpath=firewall\.policy.
To create an event handler using the Generic Text Filter to match raw log data:
- Go to Log View, and select a log type.
- In the toolbar, click Tools > Display Raw.
The easiest method is to copy the text string you want from the raw log and paste it into the Generic Text Filter field. Ensure you insert an escape character when necessary, for example, cfgpath=firewall\.policy.
- Locate and copy the text in the raw log.
- Go to Incidents & Events > Event Monitor> Event HandlerList and click Create New.
- In the Generic Text Filter box, paste the text you copied or type the text you want. Ensure you use the raw log field names, for example, mem (not memory) and setuprate (not setup-rate).
For information on text format and operators, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.
- If you want to be notified of events, configure the Notifications
- Configure other settings as required and click OK.
Incident and Event Management – FortiAnalyzer – FortiOS 6.2.3
Incident and Event Management
Use Incidents & Events to generate, monitor, and manage alerts and events from logs. The live monitoring of security events is a powerful and enabling feature for security operations. Incidents can be created from events to track and respond to suspicious or malicious activities.
Incidents & Events displays all events generated by event handlers.
Event handlers
Event handlers determine what events are to be generated from logs. Enable an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling event handlers.
When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the correct ADOM when working in Incidents & Events.
You can use predefined event handlers to generate events. There are predefined event handlers for FortiGate,
FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed.
You can create custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings. See Cloning event handlers.
Configure event handlers to generate events for all devices, a specific device, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. Incidents & Events supports local FortiAnalyzer event logs. To see event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.
Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.
In an Analyzer–Collector collaboration scenario, the Analyzer evaluates event handlers. For more information, see Analyzer–Collector collaboration.
You can also import and export event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMS or FortiAnalyzer units. For more information, see Importing and exporting event handlers.
Predefined event handlers
FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers on page 69.
The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor> Event HandlerList and select Show Predefined.
| Event Handler | Description |
| Default-Compromised HostDetection-by IOC-By-Threat | Disabled by default Filter 1:
l Event Severity: Critical l Log Type: Traffic Log l Group by: dstip l Log messages that match all of the following conditions: l tdtype~infected l Tags: By_Endpoint, IP, C&C Filter 2: l Event Severity: Critical l Log Type: Web Filter l Group by: Hostname URL l Log messages that match all of the following conditions: l tdtype~infected l Tags: By_Endpoint, C&C, URL Filter 3: l Event Severity: Critical l Log Type: DNS Log l Group by: QNAME l Log messages that match all of the following conditions: l tdtype~infected l Tags: By_Endpoint, C&C, Domain |
| Default-Data-Leak-DetectionBy-Threat | Disabled by deafult Filter 1:
l Event Severity: Medium l Log Type: DLP l Group by: Filter Category, Source Endpoint l Tags: Signature, Leak Filter 2: l Event Severity: Low l Log Type: DLP l Group by: Filter Category l Event Status: Mitigated l Tags: Signature, Leak |
| Default-Sandbox-DetectionsBy-Endpoint | Disabled by default |
| Event Handler | Description |
| Filter 1:
l Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions: l logid==0211009235 or logid==0211009237 l Tags: By_Endpoint, Sandbox, Signature, Malware Filter 2: l Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions: l logid==0211009234 or logid==0211009236 l Tags: By_Endpoint, Sandbox, Signature, Malware Filter 3: l Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint l Log messages that match all of the following conditions: l logid==0201009238 and fsaverdict==malicious l Tags: By_Endpoint, Sandbox, Malware |
|
| Local Device Event | Available only in the Root ADOM. Enabled by default l Devices: Local Device l Event Severity: Medium l Log Type: Event Log l Event Type: Any l Group By: Device ID l Log messages that match the following conditions:
l Level Equal To Emergency l Tags: System, Local |
FortiOS system events
FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.
Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.
Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.
If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event HandlerList, select the More dropdown and choose Show Custom.
FortiGate event handlers
All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus.
Events triggered from FortiGate Event Handler are not shown in the FortiAnalyzer GUI. The events are pushed to the FortiGate for further processing.
Custom FortiGate event handlers can also be created. See Creating a custom event handler on page 64.
Creating a custom event handler
You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.
Configuring an event handler includes defining the following main sections:
| Option | Description |
| Event handler attributes | Event handler attributes such as name, description, and devices. |
| Filters | Filters are rules for event generation.
l Select the log filters to limit the logs that trigger an event. l Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values. l Set the number of occurrences within a time frame that triggers an event. l Configure event fields such as event status and severity. |
| Additional Info | Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message. |
| Notifications | Configure notifications to be sent on event generation.
You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server. |
To create a new event handler:
- Go to Incidents & Events > Event Monitor> Event HandlerList.
- In the toolbar, click Create New.
- Configure the settings as required and click OK.
| Field | Description | |
| Status | Enable or disable the event handler.
Enabled event handlers have a Status of ON and show the icon in the Event HandlerList. Disabled event handlers have a a Status of OFF and show the icon in the Event HandlerList. |
|
| Name | Add a name for the handler. | |
| Description | Type a description of the event handler. |
| Field | Description | |
| Devices | Select the devices to include.
l All Devices. l Specify: To add devices, click the Add icon. l Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs. For Local Device, the Log Type must be Event Log and Log Subtype must be Any. |
|
| Subnets | Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events. | |
| Filters | Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler. | |
| Log Device Type | If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type. | |
| Log Type | Select the log type from the dropdown list.
When Devices is set to Local Device, you cannot change the Log Type or Log Subtype. |
|
| Log Subtype | Select the category of event that this handler monitors. The available options depends on the platform type.
This option is only available when Log Type is set to Event Log or Traffic Log. |
|
| Group By | Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option. | |
| Logs match | Select All or Any of the following conditions. | |
| Log Field | Select a log field to filter from the dropdown list. The available options depends on the selected log type. | |
| Match Criteria | Select a match criteria from the dropdown list. The available options depends on the selected log field. | |
| Value | Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field. | |
| Add | Add Log Field to the filter. | |
| Remove | Delete the filter. | |
| Generic Text Filter | Enter a generic text filter.
For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain. |
| Field | Description |
| For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler on page 68. | |
| Generate alert when at least n matches occurred over a period of n minutes | Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert. |
| Event Message | If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message. |
| Event Status | Select Allow FortiAnalyzerto choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank. |
| Event Severity | Select the severity from the dropdown list: Critical, High, Medium, or Low. |
| Tags | If you wish, enter custom tags. Tags can be used as a filter when using default or custom views. |
| Additional Info | Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message. |
| Use system
default |
Select to use the system default message in the Additional Info column. |
| Use custom message | Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon. |
| Notifications | Configure alerts for the handler. |
| Send Alert through Fabric Connectors | Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors on page 32. |
| Send Alert Email | Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server on page 212. |
| Send SNMP(…) Trap | Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP on page 203. |
| Send Alert to Syslog Server | Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server on page 214. |
| Send Each Alert
Separately |
Select to send each alert individually instead of in a group. |