Understanding event statuses – FortiAnalyzer – FortiOS 6.2.3

Understanding event statuses

In the Event Monitor dashboards, you can view the status of an event in the Event Status column. Event statuses include Unhandled, Mitigated, Contained, and (blank).

Event statuses are applied by the associated event handler. When creating a custom event handler, you can manually select an event status or choose to allow FortiAnalyzer to decide.

In general, when Allow FortiAnalyzerto choose is selected, the event status for UTM events is applied based on the following:

Event status   Description
Unhandled   The security event risk is not mitigated or contained, so it is considered open.

Example: an IPS/AV log with action=pass will have the event status Unhandled.

Botnet and IoC events are also considered Unhandled.

Contained   The risk source is isolated.

Example: an AV log with action=quarantine will have the event status Contained.

Mitigated   The security risk is mitigated by being blocked or dropped.
Event status Description
  Example: an IPS/AV log with action=block/drop will have the event status Mitigated.
(Blank) Other scenarios.

Free Fortinet Training!

Fortinet has released some free Fortinet training that will enable you to get training free of charge straight from the source. Learn how to utilize the entire infrastructure as best as you can. This covers the entire product field for the most part as you train on the NSE1-8. FortiGate, FortiManager, FortiAnalyzer, FortiSwitch, FortiMail and more! The training is accessible here: https://www.fortinet.com/training/cybersecurity-professionals.html

Creating custom views – FortiAnalyzer – FortiOS 6.2.3

Creating custom views

To create a custom view:

  1. Go to Incidents & Events.
  2. Select an existing view to copy.
  3. Select Add Filters to add any additional filters you want to include in the custom view.
  4. Select the custom view icon on the top-right side of the toolbar.
  5. Enter a name for the custom view and assign it to one of the following categories:

l By Endpoint l By Threat l System Events l Custom View

  1. Select OK to save the view.

Once the custom view is created, you can modify it further by removing or adding filters. Modifications can be saved by selecting the custom view icon and choosing Save or Save As to save the changes as a new view.

Managing default views – FortiAnalyzer – FortiOS 6.2.3

Managing default views

Default views in the By Endpoint, By Threat, and System Events view categories can be hidden, disabled, or copied as a custom view, allowing you to display only the views that are useful to the user.

To hide default views:

  1. Go to Incidents & Events > Event Monitor.
  2. Select an event category.
  3. Right-click on an event view and select Hide.

To disable/enable default views:

  1. Go to Incidents & Events.
  2. Select the gearicon on the bottom of the navigation tree to access the Default Views
  3. Choose which views are displayed. Add a checkmark to enable the view; remove the check mark to disable the view.
  4. Select Save.

Viewing event details and Acknowledging Events – FortiAnalyzer

Viewing event details

In an event list, to view event details, double-click an event line to drill down for more details.

The event details page contains information about the event and a list of all individual logs. You can work on events using buttons in the toolbar or by right-clicking an event. l To change what columns to display, click Column Settings or Column Settings > More Columns. l In event details, to view raw logs, click Tools > Display Raw. l To switch back to formatted log view, click Tools > Formatted Log. l To return to the previous page, click the back button.

Acknowledging events

Acknowledging an event removes it from the event list. Click Show Acknowledged to view acknowledged events.

To acknowledge events:

l In the event list, select one or more events, then right-click and select Acknowledge.

Filtering events – FortiAnalyzer – FortiOS 6.2.3

Filtering events

You can filter events using the Add Filter box in the toolbar or by right-clicking an entry and selecting a context-sensitive filter.

Filter FortiView summaries using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter events using filters in the toolbar:

  • Specify filters in the Add Filter
  • Regular Search: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or

“or”.

  • Advanced Search: Click the Switch to Advanced Search icon at the end of the Add Filter In Advanced Search mode, enter the search criteria (log field names and values). Click the Switch to RegularSearch icon  to go back to regular search.

To filter events using the right-click menu:

In the event list, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

To launch Search in Logview from an event:

In the event list, right-click an entry and select Search in Logview.

Log View will launch with the filter automatically filled in with the following information:

  • Log type of the event
  • Time range (the first to the last occurrence of the event) l Event trigger and group by value

Default event views – FortiAnalyzer – FortiOS 6.2.3

Default event views

FortiAnalyzer event handlers apply one or more tags to events, allowing the events to be grouped into views in the Event Monitor. These views are visible in the left navigation tree. Default views are organized into three view categories, including:

  • By Endpoint: Provides security event views from an endpoint perspective.
  • By Threat: Provides security event views from a threat perspective. l System Events: Provides event views which cover device system events.

In order for events to be displayed in default views, the corresponding event handler(s) must be enabled. Refer to the chart below for a list of the predefined event handlers that must be enabled to support each default view:

View category           Default view Required predefined event handler
By Endpoint All Security Events Displays all events within category with enabled handlers
Compromised Hosts Default-Botnet-Communication-Detection-By-Endpoint

Default-Compromised Host-Detection-IOC-By-Endpoint

High Risk App Usage Default-Risky-App-Detection-By-Endpoint
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Endpoint
Malware Activity Default-Sandbox-Detections-By-Endpoint

Default-Malicious-File-Detection-By-Endpoint

Ongoing Intrusions Default-Malicious-Code-Detection-By-Endpoint
Sandbox Detections Default-Sandbox-Detections-By-Endpoint
By Threat All Security Events Displays all events within category with enabled handlers
C&C Call Backs Default-Botnet-Communication-Detection-By-Threat

Default-Compromised Host-Detection-IOC-By-Threat

High Risk App Usage Default-Risky-App-Detection-By-Threat
Malicious Domain/URL Access Default-Risky-Destination-Detection-By-Threat
Malware Activity Default-Sandbox-Detections-By-Threat

Default-Malicious-File-Detection-By-Threat

Ongoing Intrusions Default-Malicious-Code-Detection-By-Threat
Sandbox Detections Default-Sandbox-Detections-By-Threat
System Events All Displays all events within category with enabled handlers
FortiGate Default FOS System Events
Local Device Local Device Event

You can see the tags associated with each view by hovering your mouse over the view in Incidents & Events; a pop-up is displayed.

Default views can be hidden or disabled. For more information, see Managing default views.

Admins can copy existing views to create custom views. For more information, see Creating custom views.