Fortianalyzer Event Handler Firing Even Though Pattern Excludes Triggering Event
I have a FAZVM64 running v6.2.6 with a large number of customer ADOMs defined. In order to make event handling consistent, I have a script which generates a .json file containing the two event handlers that each ADOM currently requires. These .json files are regenerated when the criteria for the handlers change, and the two handers are removed from each ADOM and then re-imported from the updated .json file.
The problem I have is that even though I have lined excluding specific logid values, the event handler is still firing on those events.
So for example I have the generic-ized .json handler file attached, and I'm still getting alerts firing on Log ID 0101037132 -- even though that's specifically excluded.
Can anyone tell me what I should look for to figure this out?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.