Incident and Event Management – FortiAnalyzer – FortiOS 6.2.3

Incident and Event Management

Use Incidents & Events to generate, monitor, and manage alerts and events from logs. The live monitoring of security events is a powerful and enabling feature for security operations. Incidents can be created from events to track and respond to suspicious or malicious activities.

Incidents & Events displays all events generated by event handlers.

Event handlers

Event handlers determine what events are to be generated from logs. Enable an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling event handlers.

When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the correct ADOM when working in Incidents & Events.

You can use predefined event handlers to generate events. There are predefined event handlers for FortiGate,

FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed.

You can create custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings. See Cloning event handlers.

Configure event handlers to generate events for all devices, a specific device, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. Incidents & Events supports local FortiAnalyzer event logs. To see event handlers, go to Incidents & Events > Event Monitor> Event HandlerList.

Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.

In an Analyzer–Collector collaboration scenario, the Analyzer evaluates event handlers. For more information, see Analyzer–Collector collaboration.

You can also import and export event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMS or FortiAnalyzer units. For more information, see Importing and exporting event handlers.

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers on page 69.

The following are a small sample of FortiAnalyzer predefined event handlers. To see all predefined event handlers, go to Incidents & Events > Event Monitor> Event HandlerList and select Show Predefined.

Event Handler Description
Default-Compromised HostDetection-by IOC-By-Threat Disabled by default Filter 1:

l     Event Severity: Critical l Log Type: Traffic Log l Group by: dstip l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, IP, C&C

Filter 2:

l     Event Severity: Critical l Log Type: Web Filter l Group by: Hostname URL l Log messages that match all of the following conditions:

l     tdtype~infected

l     Tags: By_Endpoint, C&C, URL

Filter 3:

l     Event Severity: Critical l Log Type: DNS Log l Group by: QNAME l Log messages that match all of the following conditions:

l     tdtype~infected l Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-DetectionBy-Threat Disabled by deafult Filter 1:

l     Event Severity: Medium

l     Log Type: DLP

l     Group by: Filter Category, Source Endpoint

l     Tags: Signature, Leak

Filter 2:

l     Event Severity: Low

l     Log Type: DLP

l     Group by: Filter Category l Event Status: Mitigated l Tags: Signature, Leak

Default-Sandbox-DetectionsBy-Endpoint Disabled by default
Event Handler Description
  Filter 1:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009235 or logid==0211009237

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint, Virus Name l Log messages that match all of the following conditions:

l     logid==0211009234 or logid==0211009236

l     Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

l     Event Severity: Critical l Log Type: AntiVirus l Group by: Source Endpoint l Log messages that match all of the following conditions:

l     logid==0201009238 and fsaverdict==malicious l Tags: By_Endpoint, Sandbox, Malware

Local Device Event Available only in the Root ADOM. Enabled by default l Devices: Local Device l Event Severity: Medium l Log Type: Event Log l Event Type: Any l Group By: Device ID l Log messages that match the following conditions:

l Level Equal To Emergency l Tags: System, Local

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Deafult FOS System Event filter triggered the event.

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event HandlerList, select the More dropdown and choose Show Custom.

FortiGate event handlers

All FortiGates added to FortiAnalyzer use a default event handler on the FortiAnalyzer side to receive high severity events such as Botnet Communication, IPS Attack Pass Through, and Virus Pass Through AntiVirus.

Events triggered from FortiGate Event Handler are not shown in the FortiAnalyzer GUI. The events are pushed to the FortiGate for further processing.

Custom FortiGate event handlers can also be created. See Creating a custom event handler on page 64.

Creating a custom event handler

You can create a custom event handler from scratch or clone a predefined event handler and customize its settings. See Cloning event handlers on page 69.

Configuring an event handler includes defining the following main sections:

Option Description
Event handler attributes Event handler attributes such as name, description, and devices.
Filters Filters are rules for event generation.

l  Select the log filters to limit the logs that trigger an event.

l  Group the logs by primary and secondary (optional) values to separate the events that are generated for different Group By values.

l  Set the number of occurrences within a time frame that triggers an event. l Configure event fields such as event status and severity.

Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Notifications Configure notifications to be sent on event generation.

You can send alert notifications to a fabric connector, email address, SNMP community, or syslog server.

To create a new event handler:

  1. Go to Incidents & Events > Event Monitor> Event HandlerList.
  2. In the toolbar, click Create New.
  3. Configure the settings as required and click OK.
Field   Description
Status   Enable or disable the event handler.

Enabled event handlers have a Status of ON and show the  icon in the Event HandlerList. Disabled event handlers have a a Status of OFF and show the  icon in the Event HandlerList.

Name   Add a name for the handler.
Description   Type a description of the event handler.

 

Field   Description
Devices   Select the devices to include.

All Devices. l Specify: To add devices, click the Add icon.

Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

Subnets   Select All Subnets to include all subnets, or select Specify to choose which subnet(s) or subnet group(s) will be included or excluded from triggering events.
Filters   Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings. You can enable or disable specific filters in an event handler.
  Log Device Type If you are in a Security Fabric ADOM, select the log device type from the dropdown list. If you are not in a Security Fabric ADOM, you cannot change the Log Device Type.
  Log Type Select the log type from the dropdown list.

When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

  Log Subtype Select the category of event that this handler monitors. The available options depends on the platform type.

This option is only available when Log Type is set to Event Log or Traffic Log.

  Group By Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.
  Logs match Select All or Any of the following conditions.
  Log Field Select a log field to filter from the dropdown list. The available options depends on the selected log type.
  Match Criteria Select a match criteria from the dropdown list. The available options depends on the selected log field.
  Value Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.
  Add Add Log Field to the filter.
  Remove Delete the filter.
  Generic Text Filter Enter a generic text filter.

For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

 

Field Description
  For more information on creating a generic text filter, see Using the Generic Text Filter in an event handler on page 68.
Generate alert when at least n matches occurred over a period of n minutes Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.
Event Message If you wish, enter a custom event message. The default message is the Group By value. You can use variables in the event message.
Event Status Select Allow FortiAnalyzerto choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or Blank.
Event Severity Select the severity from the dropdown list: Critical, High, Medium, or Low.
Tags If you wish, enter custom tags. Tags can be used as a filter when using default or custom views.
Additional Info Specify what to show in the Additional Info column. You can use the system default information or configure a custom information message.
Use system

default

Select to use the system default message in the Additional Info column.
Use custom message Type a custom message for the Additional Info column. A custom message can include variables and log field names. For more information, click the question mark icon.
Notifications Configure alerts for the handler.
Send Alert through Fabric Connectors Send an alert through one or more fabric connectors. Click the + button to add fabric connectors. For more information, see Fabric Connectors on page 32.
Send Alert Email Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server on page 212.
Send SNMP(…) Trap Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP on page 203.
Send Alert to Syslog Server Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server on page 214.
Send Each Alert

Separately

Select to send each alert individually instead of in a group.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos