FortiAnalyzer 6.0.2 Administration Guide

Predefined event handlers

FortiAnalyzer includes predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

The following are a sample of predefined event handlers. To see all predefined event handlers, go to Event Manager > Event Monitor > Event Handler List and select Show Predefined.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Default - Sandbox-Detection

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious

Default-Compromised Host-Detection-by IOC

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: Endpoint
  • Log messages that match all of the following conditions:
    • tdtype~infected

IPS - Critical Severity

Enabled by default

  • Event Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

Local Device Event

Available only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Event Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Lod Description
  • Log messages that match any of the following conditions:
    • Level Equal Greater Than or Equal To Warning

UTM Antivirus Event

Enabled by default

  • Event Severity: High
  • Log Type: Antivirus
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM Web Filter Event

Enabled by default

  • Event Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs