Technical Tip: Event handler triggered on sent or received bytes from specific IP address
Description
This article describes how to set up an event handler triggered by a specific size of sent or received bytes.
Scope
FortiAnalyzer.
Solution
- In FortiAnalyzer, go to Incidents & Events -> Event Handlers -> Basic Handlers -> Create New.
- Configure the handler as follows:
Name: sum.
- Create a new rule with the following configuration:
- Name: sum-rule.
- Log Subtype: Any.
- Log Field: Source IP (srcip).
Remove any log filters.
Trigger an event when the sum of sentbyte (rcvdbyte/sentpkt/rcvdpkt) is greater than or equal to 10 kilobytes.
Note: 10 KB is used just for testing here. In a real environment, the actual value should be based on what is required.
Possible options include Kilo Bytes, Mega Bytes, Giga Bytes, and Terra Bytes.
- Select OK to save the rule, then OK again to save the handler.
- Configure logging on a FortiGate that can generate logs to be sent to FortiAnalyzer.
- Go to Event Monitor and expand the event created by the handler configured above.
triggername="sum" AND handler_type="basic"
Note:
By using the 'Creating notification profiles', this information can be provided to the team in real time.
SUM option will work only if :
- ADOM type is Fabric.
- And the SIEM Module is enabled.
If the SIEM Module is enabled can be verified via the:
config system global
(global)# set disable-module
fortiview-noc FortiView/NOC-SOC module.
siem SIEM module.
soc SOC module.
ot-view OT-VIEW module.
none No modules disabled.
The SIEM Module should not be listed as a 'disable-module'.
Related documents:
Creating a custom event handler
Technical Tip: FortiAnalyzer Event Handler for data exfiltration detection
Troubleshooting Tip: How to troubleshoot for event handler related issues
Technical Tip: FortiAnalyzer Event Handler for data exfiltration detection