The following steps describe how to use an event handler to trigger an automated email notification using a FortiGate stitch.

1. From FortiAnalyzer GUI go to FortiSoC -> Handlers -> FortiGate Event Handlers (the 'Automation Stitch" feature has been replaced with FortiGate Event Handlers, if it is desired to trigger a stitch on FortiGate it is possible to enable this feature on the event handler).
   
                                                                                                                   
2. Create New and fill it with the following information:

name: AnomalyEvent.

Device: Specify the device.

Log Device Type: FortiGate.

Log Type: IPS.

Logs Match: 

• Log Field: Attack Name(Attack).
• Match Criteria:Equal to.
• Value:tcp_port_scan.

3. Select the Add Button to Add another Log Match line and complete with the following:

• Log Field: Threat Level(crlevel).
• Match Criteria:Equal To.
• Value:critical.
  
  

The value variables reflect the FortiGate log fields: the below is a raw log sample extracted from the FortiAnalyzer Log view:

date="2023-04-18" time="18:34:18" id=7223537385827467264 bid=105474 dvid=1042 itime=1681860859 euid=3 epid=1025 dsteuid=3 dstepid=101 logver=700040301 type="utm" subtype="anomaly" level="alert" action="detected" sessionid=0 srcip="10.0.0.60" dstip="10.0.0.254" srcport=59985 dstport=6 attackid=100663398 severity="critical" proto=6 logid="0720018432" service="tcp/6" eventtime=1681860858996681532 count=1911 policyid=1 crscore=50 craction=4096 crlevel="critical" srcintfrole="lan" policytype="DoS-policy" srcintf="LAN" ref="http://www.fortinet.com/ids/VID100663398" attack="tcp_port_scan" eventtype="anomaly" srccountry="Reserved" msg="anomaly: tcp_port_scan, 101 > threshold 100, repeats 1911 times since last log, pps 54 of prior second" threatlevel=4 threat="tcp_port_scan" threattype="ips" tz="-0500" dstcountry="Reserved" devid="FG5H0EXXXXXXXXXX" vd="root" devname="FortiGate-500E" devgrps="{NULL}"

4. Fill in the remaining fields as follows and leave the rest of them as default, select OK:

Event Severity: Critical.

Tags: AnomalyDetected.

5. Go to the FortiGate GUI, Log & Report -> Log Settings, and complete the following configuration:
   
   

Send logs to FortiAnalyzer/FortiManager: enable.

Server: FortiAnalyzer IP Address.

Allow access to FortiGate REST API: enabled.

Verify FortiAnalyzer certificate: enable.

Test connectivity and authorize the FortiGate on the FortiAnalyzer side as follows:

1. Select Unauthorized Devices on FortiAnalyzer root ADOM.
2. Select the FortiGate Device and 'right click' and select Authorize.
3. Confirm Authorize device.

6. Also, make sure that the following settings are enabled on the FortiGate CLI:
   
   

config log fortianalyzer setting

    set access-config enable

    set upload-option realtime

    set reliable enable

end

7. From the FortiGate GUI go to Security Fabric -> Automation -> +Create New, and fill in the fields as follows:
   
   

Name: AnomalyEventNotification.

Status: Enable.

Stitch: +Add Trigger, Select + Create button -> select FortiAnalyzer Event Handler.

Name: : AnomalyEventHandler.

Event handler name: Select AnomalyEvent.

Event severity: critical.

Event tag: Select AnomalyDetected.

Select the OK and Apply buttons.

8. Back to the Create New Automation Stitch section, select + Add Action and + Create.

In the Notifications section select Email and fill in the following information:

Name: AnomalyEmailNotification.

To: complete with the destination email for notifications.

Subject: Anomaly activity detected.

Leave the rest of the fields as default.

Select OK, select the entry, and the Apply button.

9. An artificial port scanning event will be created to validate how the stitch performs.

10. For this purpose, the NMAP scanner was used shooting from a test computer to the FortiGate interface in the same network.

11. On FortiGate side, go to Policy & Objects -> IPv4 DoS policy -> + Create New.

Name: OutboundDoS.

Incoming Interface: LAN.

Source Address: all.

Destination Address: all.

Service: all.

On the L4 Anomalies section enable logging for tcp_port_scan choose Monitor as Action and make sure that the policy is enabled.

12. Run a scan on the test computer as follows:

nmap -T4 -A -v 10.0.0.254

tarting Nmap 7.93 ( https://nmap.org ) at 2023-04-18 17:34 

NSOCK ERROR [0.1890s] ssl_init_helper(): OpenSSL legacy provider failed to load.

NSE: Loaded 155 scripts for scanning.

NSE: Script Pre-scanning.

Scanning x.x.x.x [1 port]

Completed ARP Ping Scan at 17:34, 0.78s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 17:34

Completed Parallel DNS resolution of 1 host. at 17:34, 0.05s elapsed

Initiating SYN Stealth Scan at 17:34

Scanning 10.0.0.254 [1000 ports]

Discovered open port 443/tcp on 10.0.0.254

Discovered open port 22/tcp on 10.0.0.254

Completed SYN Stealth Scan at 17:34, 4.62s elapsed (1000 total ports)

Initiating Service scan at 17:34

Scanning 2 services on x.x.x.x

Completed Service scan at 17:34, 17.66s elapsed (2 services on 1 host)

Initiating OS detection (try #1) against x.x.x.x

Retrying OS detection (try #2) against x.x.x.x

PORT    STATE  SERVICE   VERSION

22/tcp  open   ssh       (protocol 2.0)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 34.52 seconds

           Raw packets sent: 2068 (94.588KB) | Rcvd: 27 (1.824KB)

13. On FortiAnalyzer GUI go to FortiSoC -> Handlers -> FortiGate Event Handlers.

In the Event column confirm the events are increasing.

14. Go back to FortiGate GUI, Security Fabric -> Automation, in the Trigger Count Column confirm if the count is increasing for the AnomalyEventNotification Stitch.

15. Confirm the alert email was received:

Troubleshoot if the configuration is not working as expected.

FortiGate side- Check Email Service configuration.

GUI -> System -> Settings -> Email Service.

FortiGate side-Debug Email Notification:

diagnose debug application alertmail -1

Debug messages will be on for 30 minutes.

diagnose debug enable

Anomaly activity detected

date=2023-06-01 time=12:59:06 eventtime=1685642345915083419 tz="-0500" logid="0100065300" type="event" subtype="system" level="notice" vd="root" logdesc="Intern

al Message" ackflag="no" alertid="202306011000000003" logcount="1" alerttime="1685642337" devid="FG5H0E3917901887" devname="FortiGate-500E" eventtype="ips" grou

pby1="100663398" groupby2="" groupby3="" readflag="no" severity="critical" subject="" tag="AnomalyDetected" triggername="AnomalyEvent" vdom="root" epid="1026" e

uid="3" epip="10.0.0.61" srcip=10.0.0.61 epname="10.0.0.61" euname="N/A" extrainfo="{ \"type\": \"General\", \"id\": \"100663398\" }"

mail_info:

        from:notification.fortinet.net  user:noreply

mail_info:

        reverse path:noreply@notification.fortinet.net

        user name:noreply

to[0]:emailaccount@mail.com

<==_init_mail_info

create session

resolve notification.fortinet.net to 1 IP

==> send mail

connecting to 208.91.114.151 port 465

send mail 0x92a0c50 session 0x92a3190

session_io_event: creating ssl structure for session 0x92a3190

create_ssl: 0x7f3177bbb000

sessionn 0x92a3190, SSL connected

session: 0x92a3190, rsp_state: greeting, code: 220

session: 0x92a3190, rsp_state: ehlo, code: 250

session: 0x92a3190, rsp_state: mail, code: 250

session: 0x92a3190, rsp_state: rcpt, code: 250

session: 0x92a3190, rsp_state: data, code: 354

=== send: date=2023-06-01 time=12:59:06 eventtime=1685642345915083419 tz="-0500" logid="0100065300" type="event" subtype="system" level="notice" vd="root" logde

sc="Internal Message" ackflag="no" alertid="202306011000000003" logcount="1" alerttime="1685642337" devid="FG5H0E3917901887" devname="FortiGate-500E" eventtype=

"ips" groupby1="100663398" groupby2="" groupby3="" readflag="no" severity="critical" subject="" tag="AnomalyDetected" triggername="AnomalyEvent" vdom="root" epi

d="1026" euid="3" epip="10.0.0.61" srcip=10.0.0.61 epname="10.0.0.61" euname="N/A" extrainfo="{ \"type\": \"General\", \"id\": \"100663398\" }"

session: 0x92a3190, rsp_state: data2, code: 250

session: 0x92a3190, rsp_state: quit, code: 221

session finined

_session_on_destroy

<== send mail success, m = 0x92a0c50 s = 0x92a3190 <--- Email was sent successfully.

FortiGate side -Debug stitch:

diagnose debug application autod -1

Debug messages will be on for 30 minutes.

diagnose debug enable

FortiGate-500E # pid:271-__handle_msg()-291: Subscriber:4 received package. pubid:3 pkgid:488

pid:271-__pkg_open()-190: Subscriber:4 processing package id:488 from pubisher:3

pid:271-__handle_pkg_logs()-235: Subscriber:4 processing package size:1372 logs:1 pickup:1

autod(pid:271) log packet: total sz:1372 data sz:570 fld_num:31

autod(pid:271) log datetime: 2023-06-01 13:00:40

autod(pid:271) log header: logid:65300 vfid:0 sever:5 cat:1 subcat:0 key:0 flags:0484 reqlen:467 timestamp:1685642440908044604

fields:

                id:8 name:(9)eventtime value:(19)1685642440908044604

                id:9 name:(2)tz value:(5)-0500

                id:2 name:(5)logid value:(10)0100065300

                id:3 name:(4)type value:(5)event

                id:4 name:(7)subtype value:(6)system

                id:5 name:(5)level value:(6)notice

                id:6 name:(2)vd value:(4)root

                id:31 name:(7)logdesc value:(16)Internal Message

        unknown id:-1 name:(7)ackflag value:(2)no

        unknown id:-1 name:(7)alertid value:(18)202306011000000004

        unknown id:-1 name:(8)logcount value:(1)1

        unknown id:-1 name:(9)alerttime value:(10)1685642430

                id:7 name:(5)devid value:(16)FG5H0EXXXX

        unknown id:-1 name:(7)devname value:(14)FortiGate-500E

                id:353 name:(9)eventtype value:(3)ips

        unknown id:-1 name:(8)groupby1 value:(9)100663398

        unknown id:-1 name:(8)groupby2 value:(0)

        unknown id:-1 name:(8)groupby3 value:(0)

        unknown id:-1 name:(8)readflag value:(2)no

                id:295 name:(8)severity value:(8)critical

        unknown id:-1 name:(7)subject value:(0)

        unknown id:-1 name:(3)tag value:(15)AnomalyDetected < --  Event tag

        unknown id:-1 name:(11)triggername value:(12)AnomalyEvent < ---- Handler Name

        unknown id:-1 name:(4)vdom value:(4)root

        unknown id:-1 name:(4)epid value:(4)1026

        unknown id:-1 name:(4)euid value:(1)3

        unknown id:-1 name:(4)epip value:(9)10.0.0.61

                id:11 name:(5)srcip value:(9)10.0.0.61

        unknown id:-1 name:(6)epname value:(9)10.0.0.61

        unknown id:-1 name:(6)euname value:(3)N/A

        unknown id:-1 name:(9)extrainfo value:(48){ \"type\": \"General\", \"id\": \"100663398\" }

pid:271-miglog_subscr_pkg_close()-96: close package size:1372 logs:1

__action_email_hdl()-173: email action (AnomalyEmailNotification) is called   < --------- Email notification starts .

FortiAnalyzer Debug handler

diag test app sqllogd 200 config handler=AnomalyEvent

* Enabled handlers in Adom root [3] is 371:

----------------------------------------

Handler Name   : AnomalyEvent

Handler Type   : Remote

Subject        :

Subject Parsed : attackid:${groupby1}

Event Status   :  (0)

Tag            : AnomalyDetected

Log chk/hit    : 2/2  <--- Handler hit.

…………….

criteria       : ( ( type="utm" and subtype="ips" ) or ( type="anomaly" and subtype="anomaly" ) or ( type="utm" and subtype="anomaly" ) or type="ips" ) and ( attack="tcp_port_scan"

 or crlevel="critical" )

filterkey      : 3228198531440964248

filtercksum    : 2083056603

tbuk size      : 0/112

sqlfilter      : ( ( type="utm" and subtype="ips" ) or ( type="anomaly" and subtype="anomaly" ) or ( type="utm" and subtype="anomaly" ) or type="ips" ) and ( attack="tcp_port_scan"

 or crlevel="critical" )

* Enabled handlers in Adom root [3] is 371.

On the FortiAnalyzer side: Check handler configuration.

Review the Configuration of the handler on FortiAnalyzer GUI go to FortiSoC -> Handlers -> FortiGate Event Handlers.

FortiAnalyzer side - Check raw log match with the handler.

Check if the fields in the raw log match the handler definition:

date="2023-04-18" time="18:34:18" id=7223537385827467264 bid=105474 dvid=1042 itime=1681860859 euid=3 epid=1025 dsteuid=3 dstepid=101 logver=700040301 type="utm" subtype="anomaly" level="alert" action="detected" sessionid=0 srcip="10.0.0.60" dstip="10.0.0.254" srcport=59985 dstport=6 attackid=100663398 severity="critical" proto=6 logid="0720018432" service="tcp/6" eventtime=1681860858996681532 count=1911 policyid=1 crscore=50 craction=4096 crlevel="critical" srcintfrole="lan" policytype="DoS-policy" srcintf="LAN" ref="http://www.fortinet.com/ids/VID100663398" attack="tcp_port_scan" eventtype="anomaly" srccountry="Reserved" msg="anomaly: tcp_port_scan, 101 > threshold 100, repeats 1911 times since last log, pps 54 of prior second" threatlevel=4 threat="tcp_port_scan" threattype="ips" tz="-0500" dstcountry="Reserved" devid="FG5H0EXXXXXXXXXX" vd="root" devname="FortiGate-500E" devgrps="{NULL}"