Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Where to find a log about phishing?

Hello team,

 

This is a stack with 2 Fortigates 100F (A-P)

We found in "FortiView - Sources", a machine with "30" in the column "Threat score", all the others had 0

When I drill down, I found the following

Screenshot threat.png

This was: biserka.xyz (phishing).

I have tried to find any log with more information about this but without luck.

¿Do you know where can I find more information?

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
1 Solution
FortiArt
Staff
Staff

Usually those logs attached to emails and you can find it under security events especially if you have email filter UTM profile attached to firewall policies.

 

You can also find them under threat logs: Go to Dashboard > Top Threats. The Top Threats monitor displays threats based on the scores in the traffic logs. Double-click a threat to view the summary.

 

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/903511/threat-weight#:~:text....

 

It's also helpful to check IPS UTM security events and anomaly event logs especially if you have DoS policy configured. 

 

Hope this helps.

View solution in original post

2 REPLIES 2
FortiArt
Staff
Staff

Usually those logs attached to emails and you can find it under security events especially if you have email filter UTM profile attached to firewall policies.

 

You can also find them under threat logs: Go to Dashboard > Top Threats. The Top Threats monitor displays threats based on the scores in the traffic logs. Double-click a threat to view the summary.

 

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/903511/threat-weight#:~:text....

 

It's also helpful to check IPS UTM security events and anomaly event logs especially if you have DoS policy configured. 

 

Hope this helps.

damianhlozano

Hello FortiArt!!!
Thanks for your response.

Email filter is not even set as visible, so, I have no logs about this.
Now, thanks to you, I could find a log.
In "Top Threats", I selected the threat and going to "View session logs", I could see all the log information.

Application Control
Application Name HTTPS
Protocol 6
Service HTTPS

Data
Received Bytes 0 B
Sent Bytes 256 B
Message URL belongs to a denied category in policy

Action
Action blocked

Security
Level warning
Threat Level High
Threat Score 30
Threat Type Phishing

Other
Log event original timestamp 1726673623854412800
Timezone -0300
Log ID 0316013056
Type utm
Sub Type webfilter

So, I think this was the webfilter, which block the attempt to access this website (Which is phishing)

Do you know if is this possible to send email alerts for this kind of event?
I have many other email alerts, but not for security events.

Regards,
Damián

Damián Lozano
Damián Lozano
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors