Hello,I spent last two weeks trying to understand how exactly
correlation handlers work and am still confused. I used one of the
default handlers named "Default-Brute-Force-Account-Login-Attack-FGT"
which should trigger after 5 unsuccessful logins to...
Hi,I went through built-in event handlers in FAZ and found some windows
privilege escalation handlers. Could I use them with Windows Servers
without Forticlient installed? If so, is there any cookbook or docs how
to set it up? ThanksRobert
Hello,I'm trying to grab IP address from the log after ssl-login-fail
and create new Firewall->address and append it to existing group using
CLI script:Log event looks like this:date=2024-01-17 time=11:11:19
id=7325007792115286044 itime="2024-01-17 1...
Hello,I created an automation stitch based on FAZ handler. When I check
FAZ handler list I can confirm that the attach has been recognized, but
the automation doesn't always start. I made two actions - send email and
webhook to Teams, but it's not me...
Well,for the sake of archives....There is a confirmed bug in
FortiAnalyzer 7.2.x, which causes that srcip is not send in the log back
to Fortigate so the script trying to grab this value can't work.
Recommended solution is to upgrade FAZ to 7.4.x HTH...
Yeah,I understand how it's supposed to work. I made a support ticket to
ask for help, because I have no idea how to alter output of FAZ handler.
ThanksRobert
Well,I think that I found the issue. There is a difference in the log
entry between what I see in FortiAnalyzer and what's send to automation.
I created another action which send me complete %%log%% to my email and
there is no %%remip%% at all. Also ...
Hey,good catch on that %%remip%%_SSL_VPN object. However I tried with
%%log.remip%% and the IP address entry is still not created. I removed
that append to group for the moment. Now I'm trying to "Record in
console" method, maybe there was some unwan...
