New Features Guide

FortiAnalyzer 7.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

March 7, 2024
FortiAnalyzer 7.4.0 New Features Guide
05-740-898228-20240307
 TABLE OF CONTENTS

Change Log 6
Overview 8
Fabric View 9
Connectors 9
Webhook Connector to Support MS Teams 9
Security Operations (SOC) 15
SOC automation 15
Playbook event trigger correleation rules 7.4.1 15
Incident and Event Management 16
New predefined correlation event handlers 16
Update to the Event Handler rule configuration 7.4.2 22
Dashboards 27
SD-WAN Cloud Assisted Monitoring service widgets 7.4.1 27
Data leak prevention monitor in FortiView 7.4.1 31
FortiProxy monitor in FortiView 7.4.1 34
Indicator of Compromise log types and custom view 7.4.2 36
Replay attacks in the Threat Map 7.4.2 38
Asset and Identity 40
New charts in the Asset Identity Center 40
Others 42
FortiSoC GUI reorganization 42
Notifications for new Outbreak Alerts 7.4.1 45
MITRE ATT&CK matrices for Enterprise and ICS 7.4.1 47
Reports, event handlers, log parsers, and playbooks delivered as FortiGuard
packages 7.4.2 58
Log and Report 63
Logging 63
FortiAnalyzer supports FortiWeb Cloud attack logs 63
Support parsing and addition of third-party application logs to the SIEM DB 64
Per-ADOM log rate 70
Support EMS multitenancy via FortiAnalyzer ADOMs 7.4.1 72
Logging support for FortiCASB 7.4.1 74
Logging support for FortiPAM 7.4.1 76
Logging support for FortiToken Cloud 7.4.1 77
Support parsing and addition of third-party application logs to the SIEM DB in JSON
format 7.4.1 78
FortiAnalyzer supports packet header information for FortiWeb traffic log 7.4.1 80
Additional log fields for long live session logs 7.4.2 82
Log Forwarding 83
Fluentd support for public cloud integration 83
Reports 87
Report guidance 87
PCI Security Rating Report 89
Cyber Threats Assessment Report update 90

FortiAnalyzer 7.4.0 New Features Guide 3

Fortinet Inc.
 Threat Report update 91
FSBP Security Rating Report 93
CIS Controls Security Rating report 94
Shadow IT Report 95
FortiADC Report 7.4.1 97
Default ZTNA Report 7.4.1 98
FortiEDR Report 7.4.1 99
ISO 27001:2022 Compliance Security Rating Report 7.4.1 101
Exporting a report with settings 7.4.1 102
HIPAA Compliance Security Rating Report 7.4.2 104
Others 106
Time zone settings per ADOMs/Reports 106
New API to restore logs 109
System 112
High Availability (HA) 112
Geo-redundant High Availability (HA) 112
Administrators 115
A new restricted admin profile can be used to only change the administrators
passwords 7.4.2 115
Per-ADOM admin profile 7.4.2 118
Others 121
FortiAnalyzer GUI enhancements 121
Fabric of FAZ topology chart 125
Fabric of FAZ: member authorization with supervisor 127
Fabric of FAZ global FortiView support 132
Fabric of FAZ: Central report support and creating Fabric groups 134
Block out contract device from upgrading to next or major or minor release 137
FortiManager and FortiAnalyzer support HTTP/2 for improved security, multiplexing,
and reduced network latency 7.4.1 139
Backup strategy and configuration setup added to the FortiAnalyzer setup wizard
7.4.2 141
Cloud Services 143
FortiAnalyzer supports FortiCare Elite Service 143
Operational Technology 147
Operational Technology (OT) Security Service 147
OT Purdue Model in a consolidated Asset & Identity Center Dashboard 149
OT Security Risk Report 152
Other 155
Licensing adjustment 155
Index 158
7.4.0 158
Fabric View 158
Security Operations 158
Log and Report 158
System 159
Cloud Services 159
Operational Technology 159

FortiAnalyzer 7.4.0 New Features Guide 4

Fortinet Inc.
 Other 159
7.4.1 159
Security Operations 159
Log and Report 160
System 160
7.4.2 160
Security Operations 160
Log and Report 161
System 161

FortiAnalyzer 7.4.0 New Features Guide 5

Fortinet Inc.
Change Log

Date Change Description

2023-05-15 Initial release.

2023-05-16 Added:
l Per-ADOM log rate on page 70

l Fabric of FAZ: Central report support and creating Fabric groups on page 134

2023-05-19 Added:
l Webhook Connector to Support MS Teams on page 9

l Report guidance on page 87

l CIS Controls Security Rating report on page 94

2023-05-31 Added Operational Technology on page 147.

2023-06-16 Added:
l FortiSoC GUI reorganization on page 42

l New charts in the Asset Identity Center on page 40

l Shadow IT Report on page 95
l Time zone settings per ADOMs/Reports on page 106

2023-06-21 Added Fluentd support for public cloud integration on page 83.

2023-06-30 Added Operational Technology (OT) Security Service on page 147.

2023-07-17 Updated Time zone settings per ADOMs/Reports on page 106.

2023-08-31 Initial release of FortiAnalyzer 7.4.1.

2023-09-06 Added MITRE ATT&CK matrices for Enterprise and ICS 7.4.1 on page 47.

2023-09-14 Updated Webhook Connector to Support MS Teams on page 9.

2023-09-26 Added Geo-redundant High Availability (HA) on page 112.

2023-10-04 Updated MITRE ATT&CK matrices for Enterprise and ICS 7.4.1 on page 47.

2023-10-11 Updated Shadow IT Report on page 95.

2023-10-13 Added FortiManager and FortiAnalyzer support HTTP/2 for improved security,
multiplexing, and reduced network latency 7.4.1 on page 139.

2023-10-20 Added:
l Licensing adjustment on page 155

l New API to restore logs on page 109

l Playbook event trigger correleation rules 7.4.1 on page 15
l SD-WAN Cloud Assisted Monitoring service widgets 7.4.1 on page 27
l Support parsing and addition of third-party application logs to the SIEM DB in JSON
format 7.4.1 on page 78

FortiAnalyzer 7.4.0 New Features Guide 6

Fortinet Inc.
Change Log

Date Change Description

2023-11-01 Added Exporting a report with settings 7.4.1 on page 102.

2023-11-24 Added:
l FortiEDR Report 7.4.1 on page 99

l ISO 27001:2022 Compliance Security Rating Report 7.4.1 on page 101

l FortiAnalyzer supports packet header information for FortiWeb traffic log 7.4.1 on

page 80

2023-12-21 Initial release of FortiAnalyzer 7.4.2.

2024-01-24 Added:
l Data leak prevention monitor in FortiView 7.4.1 on page 31

l HIPAA Compliance Security Rating Report 7.4.2 on page 104

l Indicator of Compromise log types and custom view 7.4.2 on page 36
l Per-ADOM admin profile 7.4.2 on page 118

2024-02-02 Added:
l New predefined correlation event handlers on page 16

l FortiProxy monitor in FortiView 7.4.1 on page 34

l Replay attacks in the Threat Map 7.4.2 on page 38
l Update to the Event Handler rule configuration 7.4.2 on page 22

2024-03-07 Added
l Reports, event handlers, log parsers, and playbooks delivered as FortiGuard

packages 7.4.2 on page 58

l Additional log fields for long live session logs 7.4.2 on page 82

FortiAnalyzer 7.4.0 New Features Guide 7

Fortinet Inc.
Overview

This guide provides details of new features introduced in FortiAnalyzer 7.4. For each feature, the guide provides detailed
information on configuration, requirements, and limitations, as applicable.
The FortiAnalyzer new features are organized into the following categories:
l Fabric View on page 9
l Security Operations (SOC) on page 15
l Log and Report on page 63
l System on page 112
l Cloud Services on page 143
l Operational Technology on page 147
For a list of all features organized by the version number that they were introduced, see Index on page 158.

FortiAnalyzer 7.4.0 New Features Guide 8

Fortinet Inc.
 Fabric View

Fabric View

This section lists the new features added to FortiAnalyzer for Fabric View:
l Connectors on page 9

Connectors

This section lists the new features added to FortiAnalyzer for connectors:
l Webhook Connector to Support MS Teams on page 9

Webhook Connector to Support MS Teams

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Creating or editing ITSM connectors

A webhook connector has been added in FortiAnalyzer to support MS Teams. This connector can be used to post a
message in MS Teams.
After an MS Teams connector is created, it can be added in the incident settings, notification profiles for event handlers,
or as part of a playbook.
This topic contains the following instructions:
l To create a MS Teams connector:
l To use the MS Teams connector in a playbook:
l To use the MS Teams connector in incident settings:
l To use the MS Teams connector in a notification profile:

To create a MS Teams connector:

1. Go to Fabric View > Fabric Connectors.

2. Click Create New.
The Create New Fabric Connector pane displays.

FortiAnalyzer 7.4.0 New Features Guide 9

Fortinet Inc.
Fabric View

3. In the ITSM section, double-click MS Teams Connector.

4. Configure the following options:

Name Type a name for the fabric connector.

Description (Optional) Type a description for the fabric connector.

Protocol Select HTTPS.

Method Select POST.

Title Type a title for the fabric connector.

Teams Webhook URL Enter the incoming webhook URL created in MS Teams.

HTTP Body Enter the HTTP body of the message that should be sent by the connector.
For example, { \"text\": \"<message to send>\" }.

Status Enabled by default. The connector can be disabled, as needed.

FortiAnalyzer 7.4.0 New Features Guide 10

Fortinet Inc.
Fabric View

5. Click OK.
Use ${} for macros in the HTTP Body field. The following macros and variables are supported:

Category Variable Macro Description

Global type ${type} Notification type

Global adom ${adom} Adom name

Global from ${from} FAZ SN

Global timestamp ${timestamp} Notification timestamp

Event event ${event} All event fields

Event eventid ${event.eventid} Event id

Event alertid ${event.alertid} Alert id (same with eventid, but name

consistent with previous notification format)

Event logtype ${event.logtype} Log type

Event devtype ${event.devtype} Device type

Event eventtime ${event.eventtime} Event time

Event alerttime ${event.alerttime} Alert time (same with eventtime, but name
consistent with previous notification format)

Event firstlogtime ${event.firstlogtime} First log time

Event lastlogtime ${event.lastlogtime} Last log time

Event devid ${event.devid} Device id

FortiAnalyzer 7.4.0 New Features Guide 11

Fortinet Inc.
Fabric View

Category Variable Macro Description

Event devname ${event.devname} Device name

Event eventtype ${event.eventtype} Event type

Event groupby1 ${event.groupby1} groupby1

Event groupby2 ${event.groupby2} grouby2

Event groupby3 ${event.groupby3} grouby3

Event indicator ${event.indicator} indicator

Event severity ${event.severity} severity

Event subject ${even.subject} subject

Event tag ${event.tag} tag

Event triggername ${event.triggername} Trigger name

Event vdom ${event.vdom} vdom

Event epid ${event.epid} epid

Event euid ${event.euid} euid

Event epip ${event.epip} epip

Event epname ${event.epname} epname

Event euname ${event.euname} euname

Event extrainfo ${event.extrainfo} Additional info

Event log-length ${event.log-length} Log length

Event log-detail ${event.log-detail} Log detail

Incident incident ${incident} All incident fields

Incident incid ${incident.incid} Incident ID

Incident type ${incident.type} Notification type

Incident revision ${incident.revision} revision

Incident attach_revision ${incident.attach_ attach revision

revision}

FortiAnalyzer 7.4.0 New Features Guide 12

Fortinet Inc.
Fabric View

To use the MS Teams connector in a playbook:

1. When adding a connector in a playbook, select MS_TEAMS.

2. From the Connector dropdown, select the MS Teams connector that you created.

3. Configure the other options for the playbook as needed.

For more information, see the FortiAnalyzer Administration Guide.

To use the MS Teams connector in incident settings:

1. Go to Incidents & Events > Incidents.

2. In the toolbar, click Settings.
3. From the Fabric Connector dropdown, select the MS Teams connector that you created.

FortiAnalyzer 7.4.0 New Features Guide 13

Fortinet Inc.
Fabric View

4. Configure the other options for the incident settings as needed.

For more information, see the FortiAnalyzer Administration Guide.

To use the MS Teams connector in a notification profile:

1. When selecting the Connectors for a notification profile, select the MS Teams connector that you created.

2. Configure the other options for the notification profile as needed.

For more information, see the FortiAnalyzer Administration Guide.

FortiAnalyzer 7.4.0 New Features Guide 14

Fortinet Inc.
 Security Operations (SOC)

Security Operations (SOC)

This section lists the new features added to FortiAnalyzer for security operations (SOC):
l SOC automation on page 15
l Incident and Event Management on page 16
l Dashboards on page 27
l Asset and Identity on page 40
l Others on page 42

SOC automation

This section lists the new features added to FortiAnalyzer for SOC automation:
l Playbook event trigger correleation rules 7.4.1 on page 15

Playbook event trigger correleation rules - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Playbook triggers and tasks

FortiAnalyzer v7.4.1 introduces extra flexibility on playbooks by implementing:

l Option to select Any of the following conditions (OR): The event is triggered if any of the defined conditions are met.
l Nested groups: Conditions can be grouped together and linked by either AND or OR.
When creating a playbook in Fabric View > Automation > Playbook, the EVENT_TRIGGER configuration includes
options to Add Condition and Add Condition Group.

When adding a condition, you can select one of the following:

l All of the following conditions (AND)
l Any of the following conditions (OR)

FortiAnalyzer 7.4.0 New Features Guide 15

Fortinet Inc.
 Security Operations (SOC)

The conditions can be nested in groups. For example, "(group1 AND group2) OR (group3)". See below.

Incident and Event Management

This section lists the new features added to FortiAnalyzer for incident and event management:
l New predefined correlation event handlers on page 16
l Update to the Event Handler rule configuration 7.4.2 on page 22

New predefined correlation event handlers

In 7.4.0, 33 predefined correlation event handlers have been added for nine use cases. The nine use cases include:

Use case Description

Command & Control (CnC) To identify suspicious traffic between internal systems and external destinations.

To identify when credentials are compromised, indicating that an attacker may

Credential Access
have gained access.

Defense Evasion To identify if an endpoint is compromised.

Execution To identify if any malware is downloaded and executed.

Exfiltration To identify any data leaks in the network.

Initial Access To identify any suspicious activities after a new user gained access.

FortiAnalyzer 7.4.0 New Features Guide 16

Fortinet Inc.
Security Operations (SOC)

Use case Description

To identify if there is any advancement from the attacker on a already

Lateral Movement
compromised network.

To identify when an attacker maintains unauthorized access and performs

Persistence
malicious activities.

Privilege Escalation To identify if an attacker tries to get access over sensitive information.

To view the predefined correlation event handlers, go to Incidents & Events > Handlers > Correlation Handlers. From the
More dropdown, select Show Predefined and deselect Show Custom. The related use case is included in the name of
the predefined correlation event handler.

Correlation event handler Description

Botnet communication detected and multiple TXT type DNS request detected
CnC - Botnet CnC
which is a way of hiding the communication to botnet and carry commands from
Communication Detected
the botnet. This is strong indication there is a botnet attack event.

CnC - Default Access To A

A user tries to SSH from FortiGate to an endpoint get blocked for many times
Suspicious Domain After SSH
shortly followed by access to a suspicious domain from that endpoint may
Command Block For Many
indicate the endpoint is compromised.
Times

Incoming Botnet communication detected followed by multiple TXT type DNS

CnC - Default Incoming Botnet
request which is a way to hide the Command and Control communication to the
CnC Communication Callback
botnet. This may indicate the endpoint is trying to send the message to the botnet
Detected
to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Intrusion Detected A user try to SSH from FortiGate to another device but failed for many times
After SSH Command Block For followed by intrusion detected from the endpoint the user tries to access to. This
Many Times may indicate the user has gained access to the endpoint and trigger the intrusion.

Outgoing Botnet communication detected followed by multiple TXT type DNS

CnC - Default Outgoing Botnet
request which is a way to hide the Command and Control communication to the
CnC Communication Callback
botnet. This may indicate the endpoint is trying to send the message to the botnet
Detected
to confirm the endpoint is being controlled, and carry commands from the botnet.

CnC - Default Risky App A user tries to SSH from FortiGate to an endpoint gets blocked many times
Detected After SSH Command shortly followed by risky app detected from that endpoint, which may indicate the
Block For Many Times endpoint is compromised.

CnC - Default Suspicious Traffic This handler is to detect if an endpoint is infected and there is a large traffic from
from Infected Endpoint the same endpoint.

Credential Access - Default Brute This handler is to detect if an account login failed many times not followed by a
Force Account Login Attack FAZ login success for FortiAnalyzer.

Credential Access - Default Brute This handler is to detect if an account login failed many times not followed by a
Force Account Login Attack FGT login success for FortiGate.

FortiAnalyzer 7.4.0 New Features Guide 17

Fortinet Inc.
Security Operations (SOC)

Correlation event handler Description

Credential Access - Default

Privileges assigned to a user shortly followed by credentials were read may
Credentials Were Read After
indicate the user is suspicious.
Special Privileges Assigned

Defense Evasion - Default Access to a suspicious domain after attempted to download malware but blocked
Access To A Suspicious Domain for many times which may indicated the malware is penetrated the defense and
After Malware Downloaded the device is compromised.

Defense Evasion - Default High/Critical risk App detected followed by connection to a new registered
Access To A Suspicious Domain domain may indicate the risky app is trying to talk to a botnet server which require
After Risky App Detected attention.

Defense Evasion - Default Attack

Malware download detected followed by an attack event may indicate the
Event Detected After Malware
endpoint is compromised by the malware.
Downloaded

Defense Evasion - Default Malware download detected followed by multiple TXT type DNS request which is
Communication To Botnet a way of hiding the communication to botnet and carry commands from the
Detected After Malware Detected botnet. This may indicate the endpoint is being controlled.

Defense Evasion - Default

KERBEROS traffic violation followed by intrusion detected may indicated the
Intrusion Detected After
unwanted user gain access to the endpoint by KERBEROS.
KERBEROS Traffic Violation

Defense Evasion - Default Malware download blocked for many times followed by intrusion detected. This
Intrusion Detected After Malware may indicate the malware is penetrated the defense and the endpoint is
Detected compromised.

Defense Evasion - Default

High/Critical risk App detected followed by intrusion detected may indicate the
Intrusion Detected After Risky
risky app triggered the intrusion.
App Detected

Defense Evasion - Default

SUNBURST Domain Traffic Detected after malware download attempt blocked
SUNBURST Domain Traffic
multiple times. This event may indicate the malware escaped and executed to
Detected After Malware
communicate with SUNBURST Command and Control servers.
Downloaded

User attempted to download malware on their endpoint for many times followed
Execution - Default Malware
by detecting high or critical risk app on FortiGate application control log may
Downloaded And Execution
indicate the user bypassed the security and downloaded the malware, and then
Detected
executed the malware or infected software.

Exfiltration - Default Data Leak

High/Critical risk App detected followed by data leak detected may indicate the
Detected After Risky App
endpoint is compromised.
Detected

Exfiltration - Default Data Leak A user tries to SSH from FortiGate to an endpoint get blocked for many times
Detected After SSH Command shortly followed by data leak from that endpoint may indicate the endpoint is
Block For Many Times compromised.

FortiAnalyzer 7.4.0 New Features Guide 18

Fortinet Inc.
Security Operations (SOC)

Correlation event handler Description

Initial Access - Default Kernel

Module Removed After A New A new user access to the Linux via shell followed by the kernel module is
User Access to The Linux via removed may indicate the new user is suspicious.
Shell

Initial Access - Default Syslog

Potential shell access via web server or new user access to the Ubuntu shell
Logging Service Deactivated
followed by syslog logging service disabled may indicate the unwanted user has
After A New User Access To The
gained the access to the endpoint and disabled the syslog logging service.
Linux via Shell

Lateral Movement - Default

Access to a suspicious domain on a device with vulnerability, which may indicate
Access To A Suspicious Domain
the device is compromised.
On A Device with Vulnerability

Lateral Movement - Default Data

Data Leak Found On a Device with Vulnerability may indicate the device is
Leak Found On A Device with
compromised.
Vulnerability

Lateral Movement - Default Virus

Virus detected on a device with vulnerability may indicate it is compromised; need
Detected On A Device with
not only remove the virus, but also fix the vulnerability.
Vulnerability

Lateral Movement - Default

Vulnerability detected by FCT and intrusion detected. Both event happened on an
Vulnerability And Intrusion
endpoint may indicate the endpoint is compromised.
Detected

Persistence - Default Firewall

Authentication failed for many times followed by firewall service deactivated may
Service Deactivated After
indicate the unwanted user has gained the access to the endpoint and disabled
Authentication Failed For Many
the firewall service.
Times

Persistence - Default Kernel

Authentication failed for many times followed by kernel module removed may
Module Removed After
indicate the unwanted user has gained the access to the endpoint and removed
Authentication Failed For Many
the kernel module.
Times

Persistence - Default Syslog

Authentication failed for many times followed by syslog logging service
Logging Service Deactivated
deactivated may indicate the unwanted user has gained the access to the
After Authentication Failed For
endpoint and disabled the logging service.
Many Times

Privilege Escalation - Default

Firewall Disabled After Special Firewall disabled after special privileges assigned to new logon may indicate this
Privileges Assigned to New new logon user is suspicious.
Logon

Privilege Escalation - Default

Windows Event Logging Service Privileges assigned to a user shortly followed by event logging server is down or
Is Down Or Log Is Cleared After log is cleared may indicate the user is suspicious.
Privileges Assigned

FortiAnalyzer 7.4.0 New Features Guide 19

Fortinet Inc.
Security Operations (SOC)

Correlation event handler Description

Privileges assigned to a new logon followed by windows system time was

Privilege Escalation - Default
changed may indicate this is a time travel attack. For example, setting the clock
Windows System Time Was
back on a client to a previous point in time could cause the system to accept
Changed After Privileges
rogue Transport Layer Security (TLS) certificates that may have been already
Assigned To A New Logon
revoked, thereby giving attackers a way to decrypt encrypted communications.

FortiAnalyzer 7.4.0 New Features Guide 20

Fortinet Inc.
Security Operations (SOC)

To edit a predefined correlation event handler, select it and click Edit. You can enable or disable these handlers
according to your needs. You can also include a data selector or notification profile where appropriate. For more
information about editing a correlation event handler, see Creating a custom correlation handler in the FortiAnalyzer
Administration Guide.
In the Edit Correlation Event Handler pane, you can review the description of the handler as well as the correlation
sequence and criteria.

When these predefined correlation event handlers are enabled, incoming logs that satisfy the correlation sequence will
trigger events. To view the triggered events, click the event count in the Events column.

FortiAnalyzer 7.4.0 New Features Guide 21

Fortinet Inc.
 Security Operations (SOC)

Update to the Event Handler rule configuration - 7.4.2

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Creating a custom event handler

When configuring rules for a basic event handler in the GUI, the configuration is now organized into four sections:
1. General: Set the rule status, name, and severity of the triggered event.

2. Choose Your Logs: Select the device and log type that you want to monitor for events. Choose up to three log fields
to categorize logs into smaller groups.

FortiAnalyzer 7.4.0 New Features Guide 22

Fortinet Inc.
Security Operations (SOC)

3. Refine Your Logs: Once logs are grouped, you can further refine the data within each group by applying filters with
other log fields. Logs that match the filters will be retained within each group.

4. Define Event Conditions: Once you've organized and filtered the logs, set up criteria that enables the system to
automatically initiate events when log records reoccur within each group.

FortiAnalyzer 7.4.0 New Features Guide 23

Fortinet Inc.
Security Operations (SOC)

There is also a section for Advanced Settings, which is useful to specify the details for the triggered events. This includes
the event message, event status, tags, and indicators.

Some option names and descriptions have also been updated from previous versions to provide more clarity.

To configure a rule for a basic event handler:

The following instructions are based on FortiAnalyzer version 7.4.2. For the latest version, see
the option descriptions in the following topic from the FortiAnalyzer Administration Guide:
l Creating a custom event handler

FortiAnalyzer 7.4.0 New Features Guide 24

Fortinet Inc.
Security Operations (SOC)

1. Go to Incidents & Events > Handlers > Basic Handlers.

2. Click Create New.
The Add New Basic Event Handler pane displays.
3. In the Rules section for the event handler, click Add New Rule.
The Add New Rule pane displays.
4. Configure the following options:

Option Description

Status Enable or disable the rule. If the rule is disabled, it will not be used to generate
events.

Name Enter a name for the rule.

Event Severity Select the severity from the dropdown list: Critical, High, Medium, or Low.

Choose Your Logs

Start by selecting the device and log type that you want to monitor for events.

Log Device Type If you are in a Security Fabric ADOM, select the log device type from the
dropdown list. If you are not in a Security Fabric ADOM, you cannot change
the Log Device Type.
The Fabric log device type can be used to generate alerts from SIEM logs
when SIEM logs are available.

Log Type Select the log type from the dropdown list.
When Devices is set to Local Device, you cannot change the Log Type or Log
Subtype.

Log Subtype Select the category of event that this event handler monitors. The available
options depend on the platform type.
This option is only available when the Log Type has a subtype. For example,
Event Log and Traffic Log have log subtypes which can be selected from the
dropdown.

Log Field Select the log fields for the system to categorize logs into smaller groups.
For example, consider the scenario where the Log Field is set using Source
IP (srcip). When log entries are recorded with source IPs such as
192.168.1.1, 192.168.1.2, and 192.168.1.3, the system will categorize these
logs into distinct groups:
l Group 1: Logs with the source IP 192.168.1.1

l Group 2: Logs with the source IP 192.168.1.2

l Group 3: Logs with the source IP 192.168.1.3
This grouping mechanism allows analysis of log data based on the specified
source IP addresses.

Refine Your Logs

Once logs are grouped, you can refine the data within each group by applying filter with other log fields. Logs that
match the filters will be retained within each group.

Log Filters Select All Filters or Any One of the Filters.

FortiAnalyzer 7.4.0 New Features Guide 25

Fortinet Inc.
Security Operations (SOC)

Option Description

Configure the filter(s):

l Log Field: Select a log field from the dropdown.

After the log device and log type are selected, the Log Field dropdown list
will only include log fields that belong to the specified log type. For
example, the Botnet IP log field is available when the Log Type is DNS,
but not available when the Log Type is Event Log.
l Match Criteria: Select an operator from the dropdown. The available
options depends on the selected log field.
Some log fields, such as Source Port, will provide a variety of operators in
the dropdown list, such as Equal To, Not Equal To, Greater Than or Equal
To, Less Than or Equal To, Greater Than, and Less Than.
Other log fields, such as Log Description, will be limited to Equal To and
Not Equal To.
l Value: Select a value from the dropdown list or enter a value in the text
box. The available options depends on the selected log field.
If there is no dropdown list provided by FortiAnalyzer, you must manually
enter a value to find in the raw log.
If a dropdown list is provided, you can select a value from the list. For
some log fields, such as Level, the dropdown list also allows you to enter
a custom value. If there is no textbox to enter a custom value in the
dropdown list, you must use the Generic Text Filter instead.
In the Action column, click plus (+) to insert a new filter below. You can insert
multiple filters. To delete a filter, click the x next to the filter.

Log Filter by Text Enter a generic text filter. See the FortiAnalyzer Administration Guide.
For information on text format, hover the cursor over the help icon. The
operator ~ means contains and !~ means does not contain.

Define Event Conditions

Once you've organized and filtered the logs, set up criteria that enable the system to automatically initiate events
when log records reoccur within each group.

Trigger an event when: Select the radio button for one of the following options and configure the
criteria:
l A group contains <integer> or more log occurences

l Within a group, the log field <log field> has <integer> or more
unique values
l Click the toggle icon to change to "[...] has fewer than <integer>
unique values"
l The sum of <measure> is greater than or equal to <integer>
Additionally, configure the following in relation to your selection:
l All logs were generated within <integer> minutes

5. Configure the Advanced Settings for the rule, if needed, and click OK to save the rule.
6. You can add more rules to the event handler, as needed. All rules for the basic event handler will have an OR
relationship. To configure rules with different correlation criteria, configure a correlation event handler. For more
information, see the FortiAnalyzer Administration Guide.

FortiAnalyzer 7.4.0 New Features Guide 26

Fortinet Inc.
 Security Operations (SOC)

7. Configure the options for the event handler, and click OK.

Dashboards

This section lists the new features added to FortiAnalyzer for dashboards:
l SD-WAN Cloud Assisted Monitoring service widgets 7.4.1 on page 27
l Data leak prevention monitor in FortiView 7.4.1 on page 31
l FortiProxy monitor in FortiView 7.4.1 on page 34
l Indicator of Compromise log types and custom view 7.4.2 on page 36
l Replay attacks in the Threat Map 7.4.2 on page 38

SD-WAN Cloud Assisted Monitoring service widgets - 7.4.1

New widgets are introduced in FortiAnalyzer 7.4.1 for the SD-WAN Cloud Assisted Monitoring service on FortiOS.

Topology

This feature requires an SD-WAN connected to the internet to run speed tests on SD-WAN member interfaces. The
FortiGate must use version 7.4.0 or higher, so SD-WAN Bandwidth Monitoring Result event logs can be sent from
FortiGate.

To run speed tests from the FortiGate devices:

Enter the following command to download the speed test server list from FortiGate Cloud:
exec speed-test-server download

Enter the following command to list all available servers:

exec speed-test-server list

Enter the following command to measure bandwidth on an interface to a test server:

exec speed-test {auto | <outgoing interface name>} <server>

For more information, see the FortiGate / FortiOS Administration Guide.

New SD-WAN Cloud Assisted Monitoring widgets and charts in FortiAnalyzer:

Speed Test is a new widget added to the Secure SD-WAN Monitor dashboard. This widget displays the download and
upload speeds for all tests run on SD-WAN interfaces through the specified time period. You can select to display as a
combined line chart or as a table chart.
The following is an example of the line chart for Speed Test:

FortiAnalyzer 7.4.0 New Features Guide 27

Fortinet Inc.
Security Operations (SOC)

The following is an example of the table for Speed Test:

Sort By Speed is a new option added to the Top SD-WAN SLA Issues widget in the Secure SD-WAN Monitor dashboard.
This option displays the peak speed run on SD-WAN interfaces through specified time period.

FortiAnalyzer 7.4.0 New Features Guide 28

Fortinet Inc.
Security Operations (SOC)

The new Sort By Speed option is also added to the Top SD-WAN SLA Issues widget in the SD-WAN Summary
dashboard. This option displays the peak speed run on SD-WAN interfaces through specified time period for selected
devices.

Speed Test By Bandwidth is a new widget added to the SD-WAN Summary dashboard. This widget displays a bar chart
of the combined download and upload speeds for all SD-WAN interfaces on each device.

FortiAnalyzer 7.4.0 New Features Guide 29

Fortinet Inc.
Security Operations (SOC)

Speed Test Summary is a new widget added to the SD-WAN Summary dashboard. This widget displays a table of the
download and upload speeds for all tests run on SD-WAN interfaces through specified time period on selected devices.

An SD-WAN Speed Test By Bandwidth(bps) bar chart is added to the Secure SD-WAN Assessment Report. This chart
displays the combined download and upload speeds for all SD-WAN interfaces on each device.
A SD-WAN Link Speed Test by Bandwidth table is also added to the Secure SD-WAN Assessment Report. This table
displays the download and upload speeds for all tests run on SD-WAN interfaces through the specified time period on
selected devices

FortiAnalyzer 7.4.0 New Features Guide 30

Fortinet Inc.
 Security Operations (SOC)

Data leak prevention monitor in FortiView - 7.4.1

A data leak prevention (DLP) monitor with seven new widgets has been added to FortiView in FortiAnalyzer.
To access this monitor in the GUI, go to FortiView > Threats & Events > Data Leak Prevention. Widgets can be added,
removed, or re-sized according to your needs.

The following widgets are available:

l DLP Trends: Line chart displaying the number of DLP occurrences over a period of time by Allow or Block security
actions.
Mouse over an area of the chart to display values at that time in a tooltip.

FortiAnalyzer 7.4.0 New Features Guide 31

Fortinet Inc.
Security Operations (SOC)

l Top Destination Countries: Sankey graph displaying user, destination country, and security action.
You can change the graph to display the information by Occurrence or Bytes. Mouse over a section of the graph to
display the From, To, Session, or Bytes values in a tooltip. Click a destination country to drill down to the
corresponding Log View.

l Top Users: Bar graph displaying the top users for DLP.
The graph can be sorted by Occurrences or Bytes. Mouse over a user to show the User (Source/IP), Occurrence,
and Bytes in a tooltip. The number of top users can be set in the widget's settings menu. Click a user to drill down to
the corresponding Log View.

l Top Protocols: Bar graph displaying the top protocols for DLP.
The view can be sorted by Occurrences or Bytes. Mouse over a protocol to display Protocol Name, Occurrence, and
Bytes in a tooltip. The number of top protocols can be set in widget's settings menu. Click a protocol to drill down to
the corresponding Log View.

FortiAnalyzer 7.4.0 New Features Guide 32

Fortinet Inc.
Security Operations (SOC)

l Top DLP Events: Table displaying DLP events sorted by Severity by default.
The table can be sorted by other available columns: Application/Hostname, Source (User/IP), File Name, Sensitivity
(MIP level), Protocol, or Detection Name. Click a row to drill down to the corresponding Log View. Any of the
columns can be set as a filter for the table. Number of top DLP events can be set in widget's settings menu. The
results can also be exported to PDF file or Report Chart.

l Top DLP Profile Hits: Sankey graph displaying the FortiOS DLP profile name or FortiCASB filter name that triggered
the DLP event, the protocols, and the security action taken.
The graph can be sorted by Occurrences or Bytes. Mouse over a section to display the Name, From, To, Session, or
Bytes in a tooltip according to the graph location. Click a profile to drill down to the corresponding Log View.

l Sensitive Files being Accessed: Table displaying file names and attributes set in DLP profiles.
The table is sorted by Severity by default, but can also be sorted by File Name or Application. Click a row to drill
down to the corresponding Log View. Any of the columns can be set as a filter for the table. The number of results
can be set in widget's settings menu. The results can also be exported to PDF file or Report Chart.

FortiAnalyzer 7.4.0 New Features Guide 33

Fortinet Inc.
 Security Operations (SOC)

FortiProxy monitor in FortiView - 7.4.1

A FortiProxy monitor with seven new widgets has been added to FortiView in FortiAnalyzer.
To access this monitor in the GUI, go to FortiView > Traffic Analysis > FortiProxy. Widgets can be added, removed, or re-
sized according to your needs. You can also select the FortiProxy devices and time range to filter all widgets in the
monitor.

Within each widget, you can set filters according to the available columns. You can also sort tables by any available
column. From the widget's settings menu, you can set the refresh interval and, where appropriate, set the number of top
results to show in the table. Click a row within a table to drill down to the corresponding Log View.
The following widgets are available:
l Top Proxy Sources: Table displaying a list of FortiProxy Sources, grouped by User/IP and sorted by number of
Sessions.
The following columns are available: Source, Source Interface, number of Sessions, and Bytes.

FortiAnalyzer 7.4.0 New Features Guide 34

Fortinet Inc.
Security Operations (SOC)

l Top Proxy Destinations: Table displaying a list of FortiProxy Destinations, grouped by Destination IP and sorted by
number of Sessions.
The following columns are available: Destination IP, number of Sessions, and Bytes.

l Top Website Domains: Table displaying a list of Website Domains accessed by FortiProxy devices, grouped by
Domains and sorted by number of Sessions.
The following columns are available: Domain, Category, number of Sessions, and Bytes.

l Top Threats Destinations: Table displaying a list of threat Sources and Destinations logged by FortiProxy devices
sorted by Threat Level.
The following columns are available: Source, Destination IP, Threat Score, Threat Level, and number of Incidents.

l Top Threats: Table displaying a list of Threats logged by FortiProxy devices sorted by Threat Level.

FortiAnalyzer 7.4.0 New Features Guide 35

Fortinet Inc.
 Security Operations (SOC)

The following columns are available: Threat name, Threat Type, Threat Score, Threat Level, and number of
Incidents.

l Top Applications: Table displaying a list of Applications used and logged by FortiProxy devices sorted by Risk
Level.
The following columns are available: Application name, Category, Risk Level, and number of Sessions.

l Top DLP Events: Table displaying a list of Data Loss Prevention (DLP) events logged by FortiProxy devices sorted
by Severity.
The following columns are available: Severity, Hostname, Source, Service, number of Incidents.

Indicator of Compromise log types and custom view - 7.4.2

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Working with IOC information

The FortiAnalyzer Compromised Hosts dashboard has been renamed to Indicator of Compromise. To access the
dashboard, go to FortiView > Threats > Indicator of Compromise.
The table view in Indicator of Compromise includes two new columns:

FortiAnalyzer 7.4.0 New Features Guide 36

Fortinet Inc.
Security Operations (SOC)

l Log Types
l Security Actions

You can now filter the table by log types and firewall security actions.
You can also create a custom view for the Indicator of Compromise table directly from the dashboard. After setting your
filters in FortiView > Threats > Indicator of Compromise, click Create Custom View. In the New Custom View pane,
configure the following options and click OK.

Name Enter a name for the custom view.

Device Displays the devices to be used for the custom view.

Time Period Displays the time period to be used for the custom view.

Privacy Toggle to Public or Private.

To open your custom view, go to FortiView > Custom View > [Name of the Indicator of Compromise custom view]. The
dashboard displays the filters you had set prior to creating the custom view.

FortiAnalyzer 7.4.0 New Features Guide 37

Fortinet Inc.
 Security Operations (SOC)

Replay attacks in the Threat Map - 7.4.2

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Viewing FortiView dashboards

In FortiView > Threats > Threat Map, you can now replay threats from historical UTM logs.
The following options are available in the toolbar and map view for the Threat Map:

Option Description

Timeframe Select Realtime to display threats in the map as soon as they are received by
FortiAnalyzer.
Alternatively, select a timeframe to display historical UTM logs fetched from the
database and replay them in order of occurrence.

Devices Select devices to filter the threats, if needed.

Pause/Play This option only available when the timeframe is not Realtime.
Click to pause or play the threats replay in the map. The ring around the
play/pause button indicates the progress of the replay.

Replay rate This option only available when the timeframe is not Realtime.
Use the plus (+) and minus (-) buttons to increase or decrease the replay speed.
The fastest replay speed is 7 and the slowest is 1. The default is 3.

The list of threats that overlays the map view displays the following data:
l Date and time of threat
l Threat name
l Threat level

FortiAnalyzer 7.4.0 New Features Guide 38

Fortinet Inc.
Security Operations (SOC)

l White = low threat

l Yellow = high threat
l Red = critical threat
l Threat Source and Destination IPs, threat direction, and country flag if it is available
Below is an example of the Threat Map displaying threats in Realtime:

Below is an example of the Threat Map displaying a replay of threats from the last hour:

FortiAnalyzer 7.4.0 New Features Guide 39

Fortinet Inc.
 Security Operations (SOC)

From the settings menu for the Threat Map, you can select the Source and/or Destination country of the threat. For
example, see below.

Asset and Identity

This section lists the new features added to FortiAnalyzer for asset and identity:
l New charts in the Asset Identity Center on page 40

New charts in the Asset Identity Center

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Asset Summary

l Identity Summary

The new Asset Identity Center pane combines the previous Asset Center and Identity Center panes. There are new and
updated widgets in the Asset Identity Center, which can be used for analysis of endpoints and end users.
Go to Fabric View > Asset Identity Center > Summary. By default, the pane displays the Asset dashboard. You can click
Identity to display the Identity dashboard. From the Toggle Widgets dropdown, select which widgets should display on
the dashboard. You can filter all widgets on the dashboard from Settings.

FortiAnalyzer 7.4.0 New Features Guide 40

Fortinet Inc.
Security Operations (SOC)

The Asset dashboard includes the following widgets:

Detection Method Displays endpoint detections by method.

Detection Source Displays a breakdown of the asset center data sources.

Identification/Unidentified Displays the number of detected endpoint assets that are identified and
Asset unidentified.

Hardware/OS Distribution Displays endpoint hardware operating system distribution.

Discovery Timeline Displays an asset discovery timeline.

Identified Active Asset Displays identified asset visibility over the past 24 hours to 52 weeks.

Assets By Location Displays identified assets by location.

Identified Activity Timeline Displays a first seen, last update, and last seen identified asset activity timeline.

Changes Timeline Displays an asset changes timeline.

Unidentifed Active Asset Displays unidentified asset visibility over the past 24 hours to 52 weeks.

Unidentifed Activity Timeline Displays a first seen, last update, and last seen unidentified asset activity timeline.

The Identity dashboard includes the following widgets:

Top Users Displays asset user data.

Number of Active Users Displays user visibility data over the past 24 hours to 52 weeks.

User Groups Displays user groups.

FortiAnalyzer 7.4.0 New Features Guide 41

Fortinet Inc.
 Security Operations (SOC)

User's Location Displays user numbers by location.

User's Manager Displays user numbers by manager.

Discovery Timeline Displays the user discovery timeline.

Activity Timeline Displays the user activity timeline.

Endpoint Tag Distribution Displays the distribution of endpoint tags.

Others

This section lists the new features added to FortiAnalyzer for other topics related to security operations:
l FortiSoC GUI reorganization on page 42
l Notifications for new Outbreak Alerts 7.4.1 on page 45
l MITRE ATT&CK matrices for Enterprise and ICS 7.4.1 on page 47
l Reports, event handlers, log parsers, and playbooks delivered as FortiGuard packages 7.4.2 on page 58

FortiSoC GUI reorganization

The FortiSoC features have been organized in the following areas of the GUI:
l Incidents & Events
l FortiView
l Fabric View
To create and manage events, go to Incidents & Events.

Incidents & Events includes the following:

Event Monitor View events generated by event handlers.

For more information, see the FortiAnalyzer Administration Guide.

Handlers Configure data selectors, notification profiles, basic event handlers, and
correlation event handlers.

FortiAnalyzer 7.4.0 New Features Guide 42

Fortinet Inc.
Security Operations (SOC)

For more information, see the FortiAnalyzer Administration Guide.

Incidents Create and update incidents to track and analyze events.

For more information, see the FortiAnalyzer Administration Guide.

Threat Hunting View a log count chart and SIEM log analytics table. The Threat Hunting
dashboard is only available in Fabric ADOMs when ADOMs are enabled.
For more information, see the FortiAnalyzer Administration Guide.

Log Parser View and manage SIEM log parsers.

For more information, see the FortiAnalyzer Administration Guide.

Outbreak Alerts View outbreak alerts and automatically download related event handlers and
reports from FortiGuard. The FortiAnalyzer Outbreak Detection Service is a
licensed feature.
For more information, see the FortiAnalyzer Administration Guide.

To review incidents and events in dashboards, go to FortiView > Monitors > Incidents & Events.

FortiAnalyzer 7.4.0 New Features Guide 43

Fortinet Inc.
Security Operations (SOC)

FortiView > Monitors > Incidents & Events includes the following dashboards:

Events This dashboard includes the following widgets:

l Event Summary

l Top 10 Events by Type

l Events by Severity
l Top 10 Events by Handler

Incidents This dashboard includes the following widgets:

l Total Incidents

l Unsolved Incidents
l Incidents Timeline

To configure FortiSoC playbooks, go to Fabric View > Automation.

FortiAnalyzer 7.4.0 New Features Guide 44

Fortinet Inc.
 Security Operations (SOC)

Fabric View > Automation includes the following:

Summary View playbook performance in a dashboard. This includes widgets for total
playbooks, playbooks executed, and an actions trend.
For more information, see the FortiAnalyzer Administration Guide.

Connectors View the status of available connectors supported for playbook automation.
For more information, see the FortiAnalyzer Administration Guide.

Playbook Configure and manage playbooks.

For more information, see the FortiAnalyzer Administration Guide.

Playbook Monitor View playbook jobs in a table view.

For more information, see the FortiAnalyzer Administration Guide.

Notifications for new Outbreak Alerts - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Outbreak Alerts

When new Outbreak Alerts are received, GUI notifications are added in the banner, ensuring timely notification for
administrators.
In the Outbreak Alerts pane, the Outbreak Alerts can now be sorted by Date or Severity, allowing for easy browsing and
retrieval based on these criteria. A "New" tag is also added to alerts received in the current month to distinguish them
from previous alerts.

FortiAnalyzer 7.4.0 New Features Guide 45

Fortinet Inc.
Security Operations (SOC)

For example, see the image below.

Use the tree menu in the sidebar to expand and browse the list of alerts.

After refreshing the pane, you will no longer see the New tag.

FortiAnalyzer 7.4.0 New Features Guide 46

Fortinet Inc.
 Security Operations (SOC)

To group alerts in the sidebar by severity instead of Date, select the Severity radio button.

MITRE ATT&CK matrices for Enterprise and ICS - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l MITRE ATT&CK®

The MITRE ATT&CK® and MITRE ATT&CK® ICS panes have been added in FortiAnalyzer 7.4.1.
MITRE (MIT Research Establishment) ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a matrix
that helps to identify the objective of cyber attacks and the techniques that they may use. The matrix uses tactics as
column headers, and there are several techniques under each tactic. The Enterprise matrix consists of 16 tactics, and
the ICS matrix consists of 12 tactics.

FortiAnalyzer 7.4.0 New Features Guide 47

Fortinet Inc.
Security Operations (SOC)

In FortiAnalyzer, the MITRE ATT&CK matrices provide information related to the attacks identified by the associated
events and incidents. These panes also provide the coverage information of event handlers defined to identify the
attacks.
The OT Security Service is required for FortiAnalyzer to use all functionality in the MITRE ATT&CK® ICS pane. For more
information about this service, see the FortiAnalyzer Datasheet.
This topic includes the following information:
l To configure MITRE ATT&CK information in event handlers:
l To include MITRE ATT&CK information in an incident:
l To use the MITRE Domain or MITRE Tech ID as part of a playbook trigger:
l To use the Attack tab for a MITRE ATT&CK matrix in FortiAnalyzer:
l To use the Coverage tab for a MITRE ATT&CK matrix in FortiAnalyzer:
l MITRE ATT&CK® ICS without an OT Security Service license:

To configure MITRE ATT&CK information in event handlers:

1. When creating a basic or correlation event handler, select the MITRE Domain:
l N/A (default)
l Enterprise
l ICS
2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the
dropdown.
This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of
techniques or sub-techniques based on the rules that will be defined for the event handler.

The MITRE Domain and MITRE Tech ID columns have been added to the table views in Incidents & Events > Handlers >
Basic Handlers and Incidents & Events > Handlers > Correlation Handlers. Existing default event handlers have also
been updated with a MITRE Domain and MITRE Tech ID where appropriate.

FortiAnalyzer 7.4.0 New Features Guide 48

Fortinet Inc.
Security Operations (SOC)

To include MITRE ATT&CK information in an incident:

1. When creating an incident, select the MITRE Domain:

l N/A (default)
l Enterprise
l ICS
2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the
dropdown.
This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of
techniques or sub-techniques based on the incident details.

The MITRE Domain and MITRE Tech ID can also be included for incidents via the Create Incident and Update Incident
playbook task actions. In the example below, the MITRE Domain can be selected when Action = Create Incident.

FortiAnalyzer 7.4.0 New Features Guide 49

Fortinet Inc.
Security Operations (SOC)

The MITRE Domain and MITRE Tech ID columns have been added to the table view in Incidents & Events > Incidents.

To use the MITRE Domain or MITRE Tech ID as part of a playbook trigger:

When configuring an INCIDENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a filter
condition.

FortiAnalyzer 7.4.0 New Features Guide 50

Fortinet Inc.
Security Operations (SOC)

Similarly, when configuring an EVENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a
filter condition.

To use the Attack tab for a MITRE ATT&CK matrix in FortiAnalyzer:

Incidents & Events > MITRE ATT&CK® > Attack is used for the examples below, but the same
information applies for Incidents & Events > MITRE ATT&CK® ICS > Attack when you have an
OT Security Service license in FortiAnalyzer.

The Attack tab provides incident and event information associated with each technique in the matrix.
If there are events associated with the technique, an icon and count displays on the tile. A separate icon and count
displays for the associated incidents as well.

FortiAnalyzer 7.4.0 New Features Guide 51

Fortinet Inc.
Security Operations (SOC)

You can refresh the matrix or view the attacks in the specific time range by using the time filter in the toolbar. In the
example below, there are 182 events and 107 incidents associated with the Compromise Infrastructure technique in the
last 10 weeks.

Mouse over a tile to display a tooltip with the number of events and/or incidents under each sub-technique. In the
example below, the Botnet sub-technique has 182 events and 1 incident, while the Serverless sub-technique has 106
incidents.

Click a tile with associated events or incidents to open a pane for that technique. In this pane, you can toggle between
table views for associated Events and Incidents.
The table view for Events associated with the technique includes the following columns:

FortiAnalyzer 7.4.0 New Features Guide 52

Fortinet Inc.
Security Operations (SOC)

Column Description

Event Handler The event handler that generated the event(s).

Severity The severity of the event(s).

Technique The technique or sub-technique related to the event(s).

Affected Endpoints The number of affected devices.

Click the count for affected endpoints to open another pane with the list of
endpoints found in the events.

Event Count The event count related to that event handler and technique or sub-technique.

Click the event count to open Incidents & Events > Event Monitor in a new tab. The Event Monitor is filtered by the
selected handler and time range from the matrix. Note that the Event Monitor now includes columns for the MITRE
Domain and MITRE Tech ID.

FortiAnalyzer 7.4.0 New Features Guide 53

Fortinet Inc.
Security Operations (SOC)

The table view for Incidents associated with the technique includes following columns:

Column Description

Severity The severity of the incident(s).

Description The description for the incident.

Technique The technique or sub-technique related to the incident(s).

Affected Endpoints The number of affected endpoints.

Click the count for affected endpoints to open another pane with the list of
endpoints found in the incidents.

Incidents The incident count related to that technique or sub-technique.

Click the incident count to open the Incidents pane in a new tab. It is filtered by
incidents of the selected technique.

FortiAnalyzer 7.4.0 New Features Guide 54

Fortinet Inc.
Security Operations (SOC)

To use the Coverage tab for a MITRE ATT&CK matrix in FortiAnalyzer:

Incidents & Events > MITRE ATT&CK® > Coverage is used for the examples below, but the
same information applies for Incidents & Events > MITRE ATT&CK® ICS > Coverage when
you have an OT Security Service license in FortiAnalyzer.

The Coverage tab displays the number of event handlers associated with each technique in the matrix. This helps you to
determine gaps in coverage where more event handlers could be configured to identify related attacks. The top of the
pane displays the overall coverage. In the example below, the coverage is 121 Event Handlers - 42% Coverage.

When a basic or correlation event handler is associated with a technique, it will be included as part of the coverage for
that technique. The tile displays an icon and count for associated event handlers. Mouse over the tile to display the

FortiAnalyzer 7.4.0 New Features Guide 55

Fortinet Inc.
Security Operations (SOC)

information in a tooltip. This includes the total event handler count and a breakdown of the count for each sub-technique,
if they are available.
In the example below, the tooltip displays three event handlers associated with the Scanning IP Blocks sub-technique
and one associated with the Wordlist Scanning sub-technique.

Click a tile with coverage to open a table view of event handlers for that technique. The table includes the following
columns:

Column Description

State The state of the event handler: Enabled or Disabled.

Event Handlers The name of the event handler.

Description The description of the event handler.

Technique The technique or sub-technique(s) associated with the event handler. If there are
multiple sub-techniques associated with the event handler, the count will be
provided in this column. Click the count to display which sub-techniques are
associated with the event handler.

FortiAnalyzer 7.4.0 New Features Guide 56

Fortinet Inc.
Security Operations (SOC)

Click an event handler name in the table to view the event handler configuration. You can edit the Status, MITRE
Domain, and MITRE Tech ID from this pane, if needed. After updating the coverage for an event handler, refresh the
MITRE ATT&CK® matrix to display the changes.

MITRE ATT&CK® ICS without an OT Security Service license:

If you do not have an OT Security Service license for FortiAnalyzer, the MITRE ATT&CK® ICS pane will display a
notificaiton that the license is missing.
The Attack tab will not display any event or incident counts for the techniques in the matrix.

FortiAnalyzer 7.4.0 New Features Guide 57

Fortinet Inc.
 Security Operations (SOC)

The Coverage tab will display the event handler counts for the techniques, but you will not be able to click the tiles to view
their information or perform any actions.

Reports, event handlers, log parsers, and playbooks delivered as FortiGuard

packages - 7.4.2

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Security Automation Service objects

FortiAnalyzer 7.4.2 includes the following enhancements:

FortiAnalyzer 7.4.0 New Features Guide 58

Fortinet Inc.
Security Operations (SOC)

l FortiGuard Outbreak Detection Service: Outbreak Alert reports delivered in content packages are saved on the
global level, reducing per-ADOM installation time.
l FortiAnalyzer Security Automation Service: The FortiAnalyzer Security Automation Service offers premium reports,
event handlers, SIEM parsers, and playbooks as content packages. These RHSP FortiGuard package objects are
only applied with a valid Security Automation Service license. For more information about this service, see the
FortiGuard website.
To determine if you have a valid license for these services in your FortiAnalyzer GUI, see License Information widget in
the FortiAnalyzer Administration Guide.

Reports:

Reports delivered as part of licensed FortiGuard Outbreak Detection Service can be found in Reports > Report
Definitions > All Reports. They are stored in the Outbreak Alert Reports folder at the global level. Outbreak Alert reports
released prior to this release remain at the ADOM level.

Reports included in the RHSP packages from the Security Automation Service are displayed in the global Security
Automation Reports folder. Note that the global folder and global reports are identified with the system theme's color

FortiAnalyzer 7.4.0 New Features Guide 59

Fortinet Inc.
Security Operations (SOC)

applied to the icon.

A new Origin column is added to the All Reports, Templates, Chart Library, Macro Library, and Datasets tables to
indicate where the object originated:
l FortiGuard: Delivered by a FortiGuard package.
l Built-in: Included in the FortiAnalyzer by default.
l Custom: Created by a FortiAnalyzer administrator.

FortiAnalyzer 7.4.0 New Features Guide 60

Fortinet Inc.
Security Operations (SOC)

Global report's Layout, Chart, and Dataset cannot be edited or deleted. They are available for reference only.

SIEM log parsers:

SIEM parsers delivered by the RHSP package are displayed in Incidents & Events > Log Parsers. They are stored at the
global level and FortiGuard is displayed in the Origin column indicating that the parsers were delivered as part of a
FortiGuard package.

FortiAnalyzer 7.4.0 New Features Guide 61

Fortinet Inc.
Security Operations (SOC)

Playbooks:

Playbooks delivered by the RHSP package are displayed in Fabric View > Automation > Playbook.

Event handlers:

Handlers delivered by the RHSP package are displayed in Incidents & Events > Handlers > Basic Handlers.

FortiAnalyzer 7.4.0 New Features Guide 62

Fortinet Inc.
 Log and Report

Log and Report

This section lists the new features added to FortiAnalyzer for logs and reports:
l Logging on page 63
l Log Forwarding on page 83
l Reports on page 87
l Others on page 106

Logging

This section lists the new features added to FortiAnalyzer for logging:
l FortiAnalyzer supports FortiWeb Cloud attack logs on page 63
l Support parsing and addition of third-party application logs to the SIEM DB on page 64
l Per-ADOM log rate on page 70
l Support EMS multitenancy via FortiAnalyzer ADOMs 7.4.1 on page 72
l Logging support for FortiCASB 7.4.1 on page 74
l Logging support for FortiPAM 7.4.1 on page 76
l Logging support for FortiToken Cloud 7.4.1 on page 77
l Support parsing and addition of third-party application logs to the SIEM DB in JSON format 7.4.1 on page 78
l FortiAnalyzer supports packet header information for FortiWeb traffic log 7.4.1 on page 80
l Additional log fields for long live session logs 7.4.2 on page 82

FortiAnalyzer supports FortiWeb Cloud attack logs

FortiAnalyzer now supports FortiWeb Cloud attack logs, and additional event/attack log fields have been added.
After adding and authorizing a FortiWeb Cloud device in FortiAnalyzer, you can view Attack and Event logs from this
device in Log View.

To view FortiWeb Cloud logs in FortiAnalyzer:

1. In Device Manager, add and authorize the FortiWeb Cloud device.

2. To view logs from the FortiWeb Cloud device, go to Log View > Log Browse.

You can also go to Log View > FortiWeb > Attack. This includes FortiWeb Cloud attack logs, as well as four new
fields:

FortiAnalyzer 7.4.0 New Features Guide 63

Fortinet Inc.
 Log and Report

l user_id, which corresponds to the User ID column

l app_id, which corresponds to the Application ID column
l app_name, which corresponds to the Application Name column
l app_domain, which corresponds to the Application Domain column
See an example of Log View > FortiWeb > Attack below.

Finally, you can also go to Log View > FortiWeb > Event. This includes FortiWeb Cloud event logs, as well as five
new fields:
l user_id, which corresponds to the User ID column
l login_user, which corresponds to the User column
l app_id, which corresponds to the Application ID column
l app_name, which corresponds to the Application Name column
l app_domain, which corresponds to the Application Domain column
See an example of Log View > FortiWeb > Event below.

Support parsing and addition of third-party application logs to the SIEM DB

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l SIEM log parsers

FortiAnalyzer supports parsing and addition of third-party application logs to the SIEM DB.
There are two types of log parsers:
l Predefined parsers
l Custom parsers
You can find predefined SIEM log parsers in Incidents & Events > Log Parser > Log Parsers. There are predefined
parsers for all fabric related Fortinet products. Predefined Apache and Nginx web server log parsers have also been
added to this list of predefined SIEM log parsers.

FortiAnalyzer 7.4.0 New Features Guide 64

Fortinet Inc.
Log and Report

The configuration of each SIEM log parser (predefined and custom) is specific to the ADOM that you are in. Any changes
to an existing parser or any newly added parsers will only affect the ADOM that the action was completed in. Ensure you
are in the correct ADOM when working with log parsers.
The following information is provided in this topic:
l To view the log parsers: on page 65
l The Apache web server log parser: on page 66
l The Nginx web server log parser: on page 67
l To import a custom log parser: on page 68
l To validate if the original logs can be parsed: on page 68
l To assign devices to a log parser: on page 69

To view the log parsers:

1. In Incidents & Events > Log Parser > Log Parsers, select Show Predefined and/or Show Custom to show the
available log parsers in the table view.
Each predefined log parser is assigned a default Application and Category. Custom log parsers are assigned a
default Application and Category when they are imported.
The # column is the priority of each Siem Log_Parser from highest (1) to lowest. By default, newly imported custom
log parsers are assigned the lowest priority. To change the priority, click the left edge of the row and drag and drop it
to the desired area in the table. See below.

2. Double-click a log parser in the table view to display all related SIEM logs. Alternatively, you can select the
checkbox for the log parser and click View Logs.

FortiAnalyzer 7.4.0 New Features Guide 65

Fortinet Inc.
Log and Report

3. Select the checkbox for one or more log parsers in the table to perform an action from the toolbar.
For example, you can Export in JSON format, Enable, Disable, Delete, or Validate the log parsers.
Some actions will be unavailable if they cannot be performed on the selected log parser(s).
l You cannot Disable a log parser if it is assigned and in use.
l You cannot Delete predefined log parsers. They can only be disabled.
l You cannot perform the Validate action on more than one parser at a time.

The Apache web server log parser:

Go to Incidents & Events > Log Parser > Log Parsers to find the Apache Log Parser in the predefined SIEM log parsers.
Double-click the parser to view the related logs.

FortiAnalyzer 7.4.0 New Features Guide 66

Fortinet Inc.
Log and Report

The Apache logs are also parsed in Log View > Fabric > All. You can filter by Data Parser Name = Apache Log
Parser.

The Nginx web server log parser:

Go to Incidents & Events > Log Parser > Log Parsers to find the Nginx Log Parser in the predefined SIEM log parsers.
Double-click the parser to view the related logs.

The Nginx logs are also parsed in Log View > Fabric > All. You can filter by Data Parser Name = Nginx Log
Parser.

FortiAnalyzer 7.4.0 New Features Guide 67

Fortinet Inc.
Log and Report

To import a custom log parser:

1. In Incidents & Events > Log Parser > Log Parsers, click Import.
The Import Log Parser dialog displays.
2. Drag and drop or select the log parser.
The log parser must be in the correct format as a JSON file to meet the requirements checked during the import.
3. Click OK.
Once added, the custom log parser will be included in the table view when Show Custom is selected.

To validate if the original logs can be parsed:

1. In Incidents & Events > Log Parser > Log Parsers, select the checkbox for a log parser.
2. Click Validate.
The Validate Log Parser pane opens.
3. Enter a log to validate and click Validate.
A Parse Result will display in the same pane.

FortiAnalyzer 7.4.0 New Features Guide 68

Fortinet Inc.
Log and Report

To assign devices to a log parser:

1. Go to Incidents & Events > Log Parser > Assigned Parsers.

The existing log parser assignments display in a table view.

2. Select the checkbox for an existing log parser assignment and click Edit.
Alternatively, you can click Create New to create a new log parser assignment.
The Change Parser pane displays.
3. From the Current Parser dropdown, select the log parser to assign the device/application to.
4. Click OK.

FortiAnalyzer 7.4.0 New Features Guide 69

Fortinet Inc.
 Log and Report

Per-ADOM log rate

To better fit multi-tenancy deployment, FortiAnalyzer provides a per-ADOM log rate that the administrator can monitor to
prevent one ADOM/customer from impacting the stability of the entire unit.
An additional diskquota log has been introduced to inform the administrator when an ADOM reaches the configured
quota threshold.

To view the logs in the GUI:

A log message for ADOM performance statistics (log rate) is added to both FortiAnalyzer Event logs and Application
logs. FortiAnalyzer Event logs will generate this message for all ADOMs, while Application logs will generate this
message for the current ADOM only.
For example, see the below log messages in Log View > FortiAnalyzer > Event:

For example, see the below log messages in Log View > FortiAnalyzer > Application:

A log message is also added for ADOM archive usage to Local Application Logs. See below example taken from Log
View > FortiAnalyzer > Application:

FortiAnalyzer 7.4.0 New Features Guide 70

Fortinet Inc.
Log and Report

To set the interval for the ADOM performance statistics logs:

CLI configuration is added for the interval time to log performance state.
In the FortiAnalyzer CLI, enter the following command:
config system locallog setting
set log-interval-adom-perf-stats <integer>
end

For the log-interval-adom-perf-stats setting, enter the interval in minutes. The range should be 5-2880. Enter
0 to disable the logs.

Example logs:

Event log message for ADOM performance statistics (log rate):

id=7231962960615178247 bid=865533 dvid=1040 itime=1683822591 euid=1 epid=1 dsteuid=1
dstepid=1 log_id="0001010093" subtype="system" type="event" level="notice"
time="09:29:51" date="2023-05-11" user="system" action="Stats" msg="Adom root
performance status: lograte=54/sec" userfrom="system" desc="Adom performance
statistics notice" operation="Perf stats" performed_on="Local system" changes="Show
adom performance stats." lograte=54 logratelimit=0 tz="-0700" devid="FAZ-VMTM22011553"
devname="eFAZ-227"

Application log message for ADOM performance statistics (log rate):

id=7207521362594958664 bid=101707 dvid=1059 itime=1678131838 euid=1 epid=1 dsteuid=1
dstepid=1 vd="fortinet" logid="220004" type="appevent" subtype="system"
eventtype="perf-stats" action="Stats" level="notice" date="2023-03-06" time="11:43:58"
user="system" user_from="system" desc="Adom performance statistics notice" msg="Adom
fortinet performance status: log rate low (0%), lograte=49/sec" tz="-0800"
adom="fortinet" operation="Perf stats" lograte=49 performed_on="Local system"
changes="Show adom performance stats." logratelimit=0 devid="FAZ-VMTM23003360"
devname="eFAZ-54"

Log message for ADOM archive usage:

id=7207519107737128256 bid=100933 dvid=1059 itime=1678131313 euid=1 epid=1 dsteuid=1
dstepid=1 vd="fortinet" logid="220003" type="appevent" subtype="diskquota"
eventtype="disk-usage" level="warning" date="2023-03-06" time="11:35:14" user="system"
user_from="system" desc="Disk quota warning" msg="Disk usage for Adom fortinet is
approaching the delete threshold 90% of total 50.0MB. Archive Usage at 196.7%(29.5MB)
and Analytics Usage at 41.6%(14.6MB)." tz="-0800" adom="fortinet" diskusage=88
devid="FAZ-VMTM23003360" devname="eFAZ-54"

FortiAnalyzer 7.4.0 New Features Guide 71

Fortinet Inc.
 Log and Report

Support EMS multitenancy via FortiAnalyzer ADOMs - 7.4.1

With FortiClient EMS multitenancy, you can create multiple sites, providing granular access to different sites and
separating endpoint data and configurations.
FortiAnalyzer has added support to EMS multitenancy by providing the following:
l Each log is mapped to its corresponding site using the vd log field
l EMS sites can be assigned to different FortiAnalyzer ADOMs
EMS logs (with multiple FCT logs) can be received by FortiAnalyzer directly with required fields added.

FortiClient can be promoted into Fabric ADOM or FortiClient ADOM in FortiAnalyzer.

The FortiClient logs from multitenancy logs can be converted to vd=sitename when receiving logs.

FortiAnalyzer 7.4.0 New Features Guide 72

Fortinet Inc.
Log and Report

The multitenancy logs can be assigned to different ADOMs based on its VDOM when the ADOM Mode is set to
Advanced.

Two new fields are added to FortiClient logs:

l vd
l regdevname

The FortiClient logs can be filtered by these fields in Log View. For example, see below.

FortiAnalyzer 7.4.0 New Features Guide 73

Fortinet Inc.
 Log and Report

Logging support for FortiCASB - 7.4.1

FortiAnalyzer v7.4.1 recognizes FortiCASB devices as device type.

FortiAnalyzer can now receive, store, and display logs from authorized FortiCASB devices in Log View.

To configure FortiCASB logging to FortiAnalyzer:

1. In the FortiCASB GUI, go to Overview > Fabric Integration > Add New FortiAnalyzer.
2. Configure the following settings for the FortiAnalyzer device and click Add New FortiAnalyzer:
l Device Name
l Device IP Address
l Device Serial Number

FortiAnalyzer 7.4.0 New Features Guide 74

Fortinet Inc.
Log and Report

3. In the FortiAnalyzer GUI, go to Device Manager in the root ADOM.

The FortiCASB displays in the Unauthorized Devices list.
4. Select the FortiCASB device and click Authorize.
The FortiCASB device now displays in All Logging Devices list.

The FortiCASB logs display in Log View > FortiCASB.

The FortiCASB device can now be used in Reports.

FortiAnalyzer 7.4.0 New Features Guide 75

Fortinet Inc.
 Log and Report

Logging support for FortiPAM - 7.4.1

FortiAnalyzer v7.4.1 recognizes FortiPAM devices as device type.

To configure FortiPAM logging to FortiAnalyzer:

1. In the FortiPAM GUI, go to Network > Fabric Connectors, and edit FortiAnalyzer Logging. In the Server field, enter
the FortiAnalyzer IP address.

2. In the FortiAnalyzer GUI root ADOM, go to Device Manager > Unauthorized Devices. Select the FortiPAM device
and click Authorize.

The FortiPAM device is now authorized in Device Manager.

FortiAnalyzer 7.4.0 New Features Guide 76

Fortinet Inc.
 Log and Report

3. To view logs from the FortiPAM device, go to Log View > FortiPAM.

You can create a FortiPAM report in FortiAnalyzer.

Logging support for FortiToken Cloud - 7.4.1

FortiAnalyzer can now receive, store, and display logs from authorized FortiToken Cloud devices in Log View.

To configure FortiToken Cloud logging on FortiAnalyzer:

1. Configure the FortiToken Cloud device to send logs to FortiAnalyzer.

2. In the FortiAnalyzer GUI, go to Device Manager in the root ADOM.
The FortiToken Cloud displays in the Unauthorized Devices list.

3. Select the FortiToken Cloud device and click Authorize.

FortiAnalyzer 7.4.0 New Features Guide 77

Fortinet Inc.
 Log and Report

The FortiToken Cloud device now displays in All Logging Devices list.

The FortiToken Cloud logs display in Log View > FortiToken.

The FortiToken Cloud device can now be used in Reports.

Support parsing and addition of third-party application logs to the SIEM DB in JSON
format - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l SIEM log parsers

If third-party logs are in JSON format, the default Windows, Apache, and Nginx log parsers can parse generic field data
from them. These default log parsers can also be updated in the GUI, if needed.
In Incidents & Events > Log Parser > Assigned Parsers, the third-party devices are automatically assigned to the
appropriate log parser according to their logs in JSON format.

FortiAnalyzer 7.4.0 New Features Guide 78

Fortinet Inc.
Log and Report

The Windows Event Log Parser can parse Windows logs in JSON format. For example, Event_Profile, Event_Serverity,
and Host_Name. The complete content of JSON is inserted into Event_Msg field for future reference, if needed.

The Nginx Log Parser can parse Nginx server logs in JSON format. For example, Data_TimeStamp, Host_Name, and
HTTP_Referrer. The complete content of JSON is inserted into Event_Msg field for future reference, if needed.

FortiAnalyzer 7.4.0 New Features Guide 79

Fortinet Inc.
 Log and Report

The Apache Log Parser can parse Apache server logs in JSON format. For example, Host_IP, Host_Name, and
Application_Service. The complete content of JSON is inserted into Event_Msg field for future reference, if needed.

FortiAnalyzer supports packet header information for FortiWeb traffic log - 7.4.1

FortiAnalyzer supports packet header information for FortiWeb traffic log to centralize the troubleshooting. This feature
requires field "set traffic_packet" to be enabled.

To view packet header information for FortiWeb traffic logs on FortiAnalyzer:

1. On FortiAnalyzer, go to Log View > FortiWeb.

FortiAnalyzer 7.4.0 New Features Guide 80

Fortinet Inc.
Log and Report

2. View the packet header dialog window by one of the following methods:
l Click the icon in the Data column.

l Click the icon in the detail panel.

To enable the traffic packet setting on FortiWeb:

1. In the FortiWeb CLI, enable the traffic_packet setting. For example:

config log forti-analyzer
set traffic_packet enable
end

FortiAnalyzer 7.4.0 New Features Guide 81

Fortinet Inc.
 Log and Report

Additional log fields for long live session logs - 7.4.2

In FortiAnalyzer 7.4.2, three new log fields are supported for FortiGate long live session logs:
l Duration Delta
l Sent Packet Delta
l Received Packet Delta
These fields are only available when the FortiGate is v7.4.2 or higher.

To view the new fields in the FortiAnalyzer GUI:

1. Go to Log View > Traffic.

In the table view, there are three new columns:
l Duration Delta
l Received Packet Delta
l Sent Packet Delta

FortiAnalyzer 7.4.0 New Features Guide 82

Fortinet Inc.
 Log and Report

If these columns are not visible, click the Column Settings icon and add the columns to the table view. For more
information, see Customizing displayed columns in the FortiAnalyzer Administration Guide.
2. To open the log detail pane, double-click a long live session log in the table.
In the Others section, the three new fields are available:
l Duration Delta
l Received Packet Delta
l Sent Packet Delta

The fields are also available when viewing the raw log in FortiAnalyzer.

Log Forwarding

This section lists the new features added to FortiAnalyzer for log forwarding:
l Fluentd support for public cloud integration on page 83

Fluentd support for public cloud integration

Support is added for log streaming to multiple destinations via Fluentd. This allows log forwarding to public cloud
services.
You can create output profiles to configure log forwarding to public cloud services.

To create an output profile for log forwarding:

1. Go to System Settings > Advanced > Log Forwarding > Output Profile.
2. Click Create New.
The Create Output Profile pane displays.

FortiAnalyzer 7.4.0 New Features Guide 83

Fortinet Inc.
Log and Report

3. Configure the following options:

Name Enter a name for the output profile.

Type Select the public cloud service for the output profile.

Configuration Click Use Default to use the default Fluentd configuration for the selected
public cloud service.
Alternatively, copy and paste the Fluentd configuration into this field for the
selected public cloud service.

Field Fields will automatically be added into the configuration if a keyword matches
the placeholder in the configuration to provide encryption for you to hide the
credentials.
For example, a password placeholder in the configuration would be
"${password}". In the field, you can define Field: password, Value:
actual_password.

4. Click Validate and Save.

To configure log forwarding to the output profile:

1. Go to System Settings > Advanced Log Forwarding > Settings.

2. Click Create New.
The Create New Log Forwarding pane displays.

FortiAnalyzer 7.4.0 New Features Guide 84

Fortinet Inc.
Log and Report

3. Configure the following options:

Name Enter a name for the remote server.

Status Enable log forwarding.

Remote Server Type Select Forward via Output Plugin.

Output Profile Select the output profile.

Log Forwarding Filters

Device Filters Click Select Device, then select the devices whose logs will be forwarded.

Log Filters Enable to configure filters for the logs that are forwarded.

Enable Exclusions Enable to configure filter on the logs that are forwarded.

Enable Masking Enable log field masking, if needed.

4. Click OK.
To troubleshoot the Fluentd connection with the FortiAnalyzer CLI:
1. In the FortiAnalyzer CLI, enter the following command to check the Fluentd write status:
FAZVM64 # diagnose test application fwdplugind 4
Stats for plugin:
lfw_name: logfw-CloudWatch
plugin_name: Amazon CloudWatch
type: AMAZON_CLOUDWATCH
fd-plug-id: tcp_1_3da_6af_922_1c3
fluentd emit stats(emit_calls|emit_rec_calls|emit_size): 3685, 88677, 0
fluentd write stats(write|retry|rollback): 3, 0, 0
fluentd buffer queue(byte_size|total_queue_size|queue_len|ratio): 49842536,
52433884, 2, 0
fluentd buffer stage(byte_size|stage_length): 4325288, 1
fluentd flush stats(flush_time|slow_flush_count): 0, 0
2. In the FortiAnalyzer CLI, enter the following command to determine if the Fluentd log files are present:
FAZVM64 # diagnose sql fluentd log-tail
Fluentd log files are not present. Please turn on Fluentd log first if you need to
test it.

FortiAnalyzer 7.4.0 New Features Guide 85

Fortinet Inc.
Log and Report

3. In the FortiAnalyzer CLI, enter the following command to enable Fluentd logging:
FAZVM64 # diagnose test application fwdplugind 201 log enable
Warning: This will enable Fluentd logging.
Fluentd requires a restart for changes to take effect. The restart will disrupt
Fluentd's current log handling.
Execute the command again in one minute for the changes to take effect.
FAZVM64 # diagnose test application fwdplugind 201 log enable
Fluentd logging is enabled, Fluentd will be restarted.
4. In the FortiAnalyzer CLI, enter the following command again to show the processed events:
FAZVM64 # diagnose sql fluentd log-tail
File /drive0/private/fwdplugind/fluentd/logs/faz-td-agent.log, is present, will
open it.
Please press Control+C to exit.
======================================
aws_sec_key xxxxxx
region "us-west-2"
log_group_name "Log-Group-Test"
log_stream_name "Log-Stream-test"
auto_create_stream true
@id tcp_1_3da_6af_922_1c3
<buffer tag,time>
@type "memory"
chunk_limit_size 10M
total_limit_size 50M
timekey 5m
timekey_wait 30s
timekey_use_utc true
flush_thread_count 3
flush_at_shutdown true
overflow_action block
retry_forever true
disable_chunk_backup true
</buffer>
</match>
</worker>
</ROOT>
2023-04-24 16:05:20 -0700 [info]: starting fluentd-1.15.2 pid=12376 ruby="2.7.6"
2023-04-24 16:05:20 -0700 [info]: spawn command to main: cmdline=
["/usr/local/fluentd/td-agent/bin/ruby", "-Eascii-8bit:ascii-8bit",
"/usr/sbin/td-agent", "-d", "/drive0/private/fwdplugind/fluentd/faz-td-
agent.pid", "-c", "/drive0/private/fwdplugind/fluentd/faz-td-agent.conf", "-
o", "/drive0/private/fwdplugind/fluentd/logs/faz-td-agent.log", "--log-rotate-
size", "5120000", "--under-supervisor"]
2023-04-24 16:05:20 -0700 [info]: #0 adding match pattern="tcp_1" type="cloudwatch_
logs"
2023-04-24 16:05:21 -0700 [info]: adding source type="monitor_agent"
2023-04-24 16:05:21 -0700 [info]: #0 adding source type="tcp"
2023-04-24 16:05:21 -0700 [info]: #0 starting fluentd worker pid=12390 ppid=12387
worker=0
2023-04-24 16:05:21 -0700 [info]: #0 listening tcp socket bind="127.0.0.1"
port=10000
2023-04-24 16:05:21 -0700 [info]: #0 fluentd worker is now running worker=0

FortiAnalyzer 7.4.0 New Features Guide 86

Fortinet Inc.
 Log and Report

Reports

This section lists the new features added to FortiAnalyzer for reports:
l Report guidance on page 87
l PCI Security Rating Report on page 89
l Cyber Threats Assessment Report update on page 90
l Threat Report update on page 91
l FSBP Security Rating Report on page 93
l CIS Controls Security Rating report on page 94
l Shadow IT Report on page 95
l FortiADC Report 7.4.1 on page 97
l Default ZTNA Report 7.4.1 on page 98
l FortiEDR Report 7.4.1 on page 99
l ISO 27001:2022 Compliance Security Rating Report 7.4.1 on page 101
l Exporting a report with settings 7.4.1 on page 102
l HIPAA Compliance Security Rating Report 7.4.2 on page 104

Report guidance

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Report guidance

FortiAnalyzer provides many factory default reports that use charts relying on specific log types and log fields to provide
valuable output. When running a full report, you may see "No Data" returned in sections if:
l logging was not enabled correctly
l the report element is for a different Device/Log Type
l there are no matching logs
Debugging such scenarios can be time consuming because it requires navigating through charts, macros, and datasets.
To improve the overall reporting experience, a new Report Guidance feature has been implemented to provide full
visibility for each report element in terms of:
l Device Type (e.g. Fortigate)
l Log Type (e.g. traffic)
l Log Fields (e.g. action, itime)
In short, you can use the Report Guidance feature to troubleshoot and determine if FortiAnalyzer has the appropriate
Analytics logs available for a report.

To use the Report Guidance feature:

1. Go to Reports > Report Definitions > All Reports.

There is a new Config Recommendation column.

FortiAnalyzer 7.4.0 New Features Guide 87

Fortinet Inc.
Log and Report

2. Click the icon in the Config Recommendation column.

The Report Guidance pane opens for that report. This pane provides the Item Title (chart or macro name),
Device Type, Log Type, and the relevant Log Fields and Analytics log availability.

The Report Guidance pane is available for license-controlled reports, but the report cannot be generated without a valid
license.

For reports that are not generated with log tables, such as the FSBP/PCI or CIS Security Rating Reports, the Report
Guidance pane will indicate No record found.

FortiAnalyzer 7.4.0 New Features Guide 88

Fortinet Inc.
 Log and Report

PCI Security Rating Report

A PCI Security Rating Report is now available on FortiAnalyzer to optimize the deployed FortiGates in terms of Security
Posture, Fabric Coverage, and Optimization based on PCI DSS 3.2 standards. This report consolidates security ratings
performed on fabric deployments.
Each category includes the Failed, Unmet, Passed, and Exempt security control results. Recommendations are
provided as well.
For example, see a sample of page 1 from the report in PDF format below.

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - PCI Security Rating Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

FortiAnalyzer 7.4.0 New Features Guide 89

Fortinet Inc.
 Log and Report

To run the PCI Security Rating Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the PCI Security Rating Report.
The Edit: PCI Security Rating Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Cyber Threats Assessment Report update

The existing Cyber Threats Assessment Report has been updated with new style and content to enhance the visibility of
the provided data.
For example, see a sample of the report in PDF format below:

FortiAnalyzer 7.4.0 New Features Guide 90

Fortinet Inc.
 Log and Report

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - Cyber Threats Assessment Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the Cyber Threats Assessment Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the Cyber Threats Assessment
Report.
The Edit: Cyber Threats Assessment Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Threat Report update

The Threat Report has been updated to provide the following:

FortiAnalyzer 7.4.0 New Features Guide 91

Fortinet Inc.
Log and Report

l New style and content to better present threat data

l Threats are mapped to the Cyber Kill Chain stages for correlation and pattern identification
For example, see a sample of the report in PDF format below:

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - Threat Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

FortiAnalyzer 7.4.0 New Features Guide 92

Fortinet Inc.
 Log and Report

To run the Threat Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the Threat Report.
The Edit: Threat Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

FSBP Security Rating Report

A FSBP (Fortinet Security Best Practices) Security Rating Report is available on FortiAnalyzer to optimize the deployed
FortiGates in terms of Security Posture, Fabric Coverage, and Optimization. This report consolidates security ratings
performed on fabric deployments.
Each category includes the Failed, Unmet, Passed, and Exempt security control results. Recommendations are
provided as well.
For example, see a sample of page 1 from the report in PDF format below.

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.

FortiAnalyzer 7.4.0 New Features Guide 93

Fortinet Inc.
 Log and Report

2. Select the checkbox for Template - FSBP Security Rating Report.

3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the FSBP Security Rating Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the FSBP Security Rating Report.
The Edit: FSBP Security Rating Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

CIS Controls Security Rating report

A CIS Controls Security Rating Report is now available on FortiAnalyzer. This report includes CIS mapping information.
For example, see a sample of the report in PDF format below.

FortiAnalyzer 7.4.0 New Features Guide 94

Fortinet Inc.
 Log and Report

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - CIS Controls Security Rating Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the CIS Controls Security Rating Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the CIS Controls Security Rating
Report.
The Edit: CIS Controls Security Rating Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Shadow IT Report

The Shadow IT Report is now available on FortiAnalyzer.

This report provides enhanced visibility and control for cloud based applications.
Detected applications are classified as:
l Managed: Allowed applications.
l Unmanaged: Blocked, quarantined, or reset applications.
Information about the applications, including their Category and Compliance Standard, is provided by the Shadow IT
database (SIDB).
Application risk is determined by a numerical score provided by the SIDB for each application. The Risk Levels in the
report are as follows:
l Low: Score is 1 to 15.
l Guarded: Score is 16 to 30.
l Elevated: Score is 31 to 50.
l High: Score is 51 to 70.
l Severe: Score is 71 to 100.
The Overall Risk Level is the average application risk score for all detected managed applications.

FortiAnalyzer 7.4.0 New Features Guide 95

Fortinet Inc.
Log and Report

The High Risk Sessions are the number of sessions from managed applications with a risk score of High or
Severe.
For example, see a sample of page 1 from the report in PDF format below.

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - Shadow IT Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the Shadow IT Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the Shadow IT Report.
The Edit: Shadow IT Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

FortiAnalyzer 7.4.0 New Features Guide 96

Fortinet Inc.
 Log and Report

FortiADC Report - 7.4.1

The FortiADC Report is available on FortiAnalyzer to offer comprehensive visibility into application load balancing and
security features, enabling rapid identification of security patterns and trends associated with the use of the product.
For example, see a sample of page 1 from the report in PDF format below.

This report requires that a FortiADC device has been added and authorized to the FortiAnalyzer.

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - FortiADC Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

FortiAnalyzer 7.4.0 New Features Guide 97

Fortinet Inc.
 Log and Report

To run the FortiADC Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the FortiADC Report.
The Edit: FortiADC Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Default ZTNA Report - 7.4.1

The Default ZTNA Report is now available on FortiAnalyzer to enhance visibility in terms of applications being used with
the corresponding bandwidth used and sessions. To better differentiate accessibility and deployments, applications are
grouped as private, public, and SaaS. Users that present security risks due to failing security postures can be quickly
identified.
For example, see a sample of page 1 from the report in PDF format below.

FortiAnalyzer 7.4.0 New Features Guide 98

Fortinet Inc.
 Log and Report

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - Default ZTNA Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the Default ZTNA Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the Default ZTNA Report.
The Edit: Default ZTNA Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

FortiEDR Report - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l List of Report Templates

A FortiEDR report is available on FortiAnalyzer to provide insight into the security events detected by the endpoint
collectors. It also contains information on triaged, inspected, and classified events, along with details on how the events
were remediated.
For example, see a sample of page 1 from the report in PDF format below.

FortiAnalyzer 7.4.0 New Features Guide 99

Fortinet Inc.
Log and Report

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - FortiEDR Report.
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the FortiEDR Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the FortEDR Report.
The Edit: FortiEDR Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

FortiAnalyzer 7.4.0 New Features Guide 100

Fortinet Inc.
 Log and Report

ISO 27001:2022 Compliance Security Rating Report - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l List of Report Templates

FortiAnalyzer v7.4.1 includes an ISO 27001:2022 Compliance Security Rating Report to help customers optimize their
deployed FortiGates and other fabric devices to be aligned with the technical requirements of common industry
compliance framework.
For example, see a sample of page 2 from the report in PDF format below.

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - ISO 27001:2022 Compliance Security Rating Report .
3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

FortiAnalyzer 7.4.0 New Features Guide 101

Fortinet Inc.
 Log and Report

To run the ISO 27001:2022 Compliance Security Rating Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the ISO 27001:2022 Compliance
Security Rating Report .
The Edit: ISO 27001:2022 Compliance Security Rating Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Exporting a report with settings - 7.4.1

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Importing and exporting reports

In FortiAnalyzer 7.4.1, the report settings, subnets, LDAP server, and output profile configurations are included in
exported report files. You can then import the report file, including the configurations, to another FortiAnalyzer unit or
ADOM.

To export a report:

1. If using ADOMs, ensure that you are in the correct ADOM.

2. Go to Reports > Report Definitions > All Reports.
3. Select a report, and click More > Export.
In this example, the admin is exporting the Application Risk and Control report.

The Export Report pane displays.

FortiAnalyzer 7.4.0 New Features Guide 102

Fortinet Inc.
Log and Report

4. Use the toggles to Backup Other Dependent Settings in the exported file, as needed:
l Subnets
l LDAP Server (the export will remove the ADOM setting from the LDAP configuration)
l Output Profile
l Email
By default, all of these options are disabled.
5. Click OK to export the report.
The report configuration is saved as a .dat file on the management computer. This includes the charts, datasets,
images, and report settings.

To import a report:

1. If using ADOMs, ensure that you are in the correct ADOM.

If the device type used in the charts and datasets for the report does not match the ADOM type, the import will be
rejected with an error. For more information, see How ADOMs affect reports in the FortiAnalyzer Administration
Guide.
2. Go to Reports > Report Definitions > All Reports.
3. Click More > Import.
The Import Report pane displays.

FortiAnalyzer 7.4.0 New Features Guide 103

Fortinet Inc.
 Log and Report

4. In the File field, drag and drop the .dat report file, or click Browse and select the file.
In the example pictured above, the admin is importing the previously exported Application Risk and
Control report.
5. From the Save to Folder dropdown, select the folder to save the report in.
6. Select the Action in Case of Conflict:
l Keep Current Settings (default)
l Reject with Error
l Overwrite
7. Click OK to import the report.

HIPAA Compliance Security Rating Report - 7.4.2

The HIPAA Compliance Security Rating Report is now available on FortiAnalyzer to provide a security and compliance
posture assessment of the security fabric against HIPAA compliance requirements.
For example, see a sample of page 1 and 2 from the report in PDF format below.

FortiAnalyzer 7.4.0 New Features Guide 104

Fortinet Inc.
Log and Report

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - HIPAA Compliance Security Rating Report.
3. Right-click the report and select Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

FortiAnalyzer 7.4.0 New Features Guide 105

Fortinet Inc.
 Log and Report

To run the report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the HIPAA Compliance Security
Rating Report.
The Edit: HIPAA Compliance Security Rating Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

Others

This section lists the new features added to FortiAnalyzer for other topics relating to logging and reporting:
l Time zone settings per ADOMs/Reports on page 106
l New API to restore logs on page 109

Time zone settings per ADOMs/Reports

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Creating ADOMs

l Report Settings tab

To allow a more granular reporting experience for Global deployment, different timezones can be configured on each
ADOM/Report.
The Default time zone used for this setting is the time zone set for the FortiAnalyzer.

To configure the time zone for an ADOM:

1. Go to System Settings > ADOMs.

2. Edit or create a new ADOM.
3. From the Time Zone dropdown, select a time zone for the ADOM.
This time zone will be used when displaying data in Log View and FortiView for this ADOM.

FortiAnalyzer 7.4.0 New Features Guide 106

Fortinet Inc.
Log and Report

4. Click OK to save.

Example:

In this example, the system time zone is (GMT-8:00) Pacific Time, which is used by the root ADOM. The admin creates a
new adom (ADOM1) and sets the time zone to (GMT-5:00) Eastern Time:

In the root ADOM, the Log View, FortiView, and Generated Reports panes are displayed according to the default system
time zone: (GMT-8:00) Pacific Time.
For example, the admin is reviewing the panes below at approximately 16:30 Pacific Time.

FortiAnalyzer 7.4.0 New Features Guide 107

Fortinet Inc.
Log and Report

In ADOM1, the Log View, FortiView, and Generated Reports panes are displayed according the ADOM's specified time
zone: (GMT-5:00) Eastern Time.
For example, the admin is reviewing the panes below at approximately 16:40 Pacific Time (19:40 Eastern Time).

FortiAnalyzer 7.4.0 New Features Guide 108

Fortinet Inc.
 Log and Report

To configure the time zone for a report:

1. Go to Reports > Report Definitions > All Reports.

2. Double-click the report, or right-click the report and select Edit.
3. Go to the Settings tab.
4. From the Time Zone dropdown, select a time zone to use for data in the report output.

5. Click Apply to save.

New API to restore logs

In FortiAnalyzer 7.4.0, a new JSON API endpoint has been created to allow logrestore:
/logview/logrestore

In addition, the execute restore logs command in the CLI is now a non-blocking task.

To implement non-blocking "restoring logs" via the CLI:

1. To run the "restoring logs" command via the CLI, enter the following command:
execute restore logs <device name(s)> {ftp | scp | sftp} <ip> <username> <password>
<directory> [vdlist]
Note: This command restores all logs from a specified server which were backed up
prior to changing the RAID level or formatting the disks. Executing it
frequently is not recommended!
Do you want to continue? (y/n)y
The restore operation will overwrite any logs already on the FortiAnalyzer.
For following up:
diagnose log restore status
diagnose log restore cancel

FortiAnalyzer 7.4.0 New Features Guide 109

Fortinet Inc.
Log and Report

2. To view the last log restore result or to check the status via the CLI, enter the following command:
diagnose log restore status
Request for log restore for device "<device>" from IP "<IP>" at <date and time>
Stopping processes.
Downloading files for device <device>...
Restore log file: <device>[root].dlog.1611248549.log.gz
Restore log file: <device>[root].elog.1611250406.log.gz
Restore log file: <device>[root].tlog.1611250406.log.gz
Restore log file: <device>[root].vlog.1611250406.log.gz
Restore log file: <device>[root].wlog.1611191194.log.gz
Update device <device> log files disk usage...
Restoration completed successfully.
Recommend to rebuild log database by 'exec sql-local rebuild-db'.
Restarting processes.
3. If the task is not complete yet, it can be stopped using the following command in the CLI:
diagnose log restore cancel

To implement "restoring logs" via the JSON API:

1. Add logrestore API:

request={
'jsonrpc': '2.0',
'params': [{
'username': 'string',
'service': 'ftp', 'filepath': 'string',
'url': '/logview/logrestore', 'ip': 'ip_address',
'logs-type': 'logs-only',
'apiver': 3,
'device': [{
'devname': 'All_Device'
}],
'password': 'string'
}],
'id': '1',
'method': 'add'
}
logs-type: logs-only logs-archive
response={jsonrpc': '2.0', 'result': {'status': {'message': 'succeeded', 'code': 0},
'reqid': xxxxx, u'logs-only': 0}, 'id': '1'}
2. Get logrestore status by reqid:
request={"jsonrpc": "2.0", "session": "<session>", "params": [{"url": "/logview/log
restore/${reqid}", "apiver": 3}], "id": "1", "method": "get"}
The ${reqid} refer to the reqid in the response of "add logrestore".
response={
"jsonrpc": "2.0", "result": {
"task-status": "finished",
"reqid": 1495138327,
"data": {
"message": "Request for log restore for device \"All_FortiGate\" from IP \"<ip
address>\" at 2023-06-13 10:58:58\n\nStopping processes. \n\nDownloading
files for device <device> (<device>[*])... \n No backup fi sk
usage...\nDownloading files for device <device> (<device>[*])... \n No
backup files for device <device>.\n\nUpdate device <device> log files disk
usage...\nDownloading files for device <device> (F e device <device> log
files disk usage...\nDownloading files for device <device> (<device>[*])...

FortiAnalyzer 7.4.0 New Features Guide 110

Fortinet Inc.
Log and Report

\n No backup files for device <device>. \n\nUpdate device <device> log

files disk usage...\n\nRestora
"device-result": {
"device": [{
"devid": "<device>",
"status": "No backup files"
}]
"status": "Restoration completed successfully."
}
},
"status": {
"code": 0,
"message": "succeeded"
}
},
"id": "1"
}

FortiAnalyzer 7.4.0 New Features Guide 111

Fortinet Inc.
 System

System

This section lists the new features added to FortiAnalyzer for system settings:
l High Availability (HA) on page 112
l Administrators on page 115
l Others on page 121

High Availability (HA)

This section lists the new features added to FortiAnalyzer for high availability (HA):
l Geo-redundant High Availability (HA) on page 112

Geo-redundant High Availability (HA)

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Geo-redundant HA

An active-active mode is now available on FortiAnalyzer HA to help create a geo-redundant solution.

In FortiAnalyzer HA active-passive mode, a layer 2 connection is required between HA members in order to set up the
HA cluster virtual IP. In active-active mode, however, a layer 2 connection is not required between data centers at
different locations.
Below is a brief comparison between FortiAnalyzer HA in active-passive and active-active mode.

active-passive active-active

Only the HA primary can receive logs and archive files All HA members can receive logs and archive files from
from its directly connected device and forward them to HA its directly connected device and forward logs and
secondary. archive files to its HA peer.

Only the HA primary can forward data to the remote All HA members can forward its directly received logs and
server. archive file to the remote server.

In the examples below, the goal is to build an active-active geo-redundant layer 3 FortiAnalyzer HA cluster between two
data centers. The FortiAnalyzer HA members are located in different places. They are communicating with each other
via routers. There is no layer 2 connection.

Unicast must be enabled for the HA heartbeat in order for the cluster to operate in this mode.
This setting can only be configured from the CLI. For more information on enabling the unicast
heartbeat setting, see the FortiAnalyzer CLI Reference.
When unicast is enabled, VRRP packets are sent to the peer address instead of the multicast
address. VRRP (IP protocol 112) must be allowed through any connecting firewalls.

FortiAnalyzer 7.4.0 New Features Guide 112

Fortinet Inc.
System

To build a geo-redundant FortiAnalyzer HA via the GUI:

1. In the first FortiAnalyzer, configure the primary in System Settings > HA.
l For Operation Mode, select Active-Active.
l For Preferred Role, select Primary.
l Complete the other fields, including Peer IP and Peer SN.
l Cluster Virtual IP (VIP) is optional. It requires a layer 2 connection between HA members. If VIP is not
configured, select the interface which is used to communicate with the peer as Heart Beat Interface. You can
click the X icon next to the VIP entry to remove it.

2. In the second FortiAnalyzer, configure the primary in System Settings > HA.
l For Operation Mode, select Active-Active.
l For Preferred Role, select Secondary.
l Complete the other fields, including Peer IP and Peer SN.
l Cluster VIP is optional. It requires a layer 2 connection between HA members. If VIP is not configured, select
the interface which is used to communicate with the peer as Heart Beat Interface. You can click the X icon next

FortiAnalyzer 7.4.0 New Features Guide 113

Fortinet Inc.
System

to the VIP entry to remove it.

To build a geo-redundant FortiAnalyzer HA via the CLI:

For more information about the FortiAnalyzer CLI commands, see the FortiAnalyzer 7.4 CLI Reference.
1. Configure the FortiAnalyzer HA.
When configuring the FortiAnalyzer system ha, set mode to a-a. The vip is optional; if there is no layer 2
connection between HA members, vip will not work. In this case, set hb-interface as the interface which is
used to communicate with the peer.
a. Configure the first FortiAnalyzer. In the CLI, enter the following commands:
config system ha
set mode a-a
set group-id 100
set group-name "FAZVM64-HA"
set hb-interface "port1"
set unicast enable
set password xxxxxx
config peer
edit 1
set ip "192.168.1.101"
set serial-number "FAZ-VMTM-----6"
next
end
set preferred-role primary
set priority 120
end
b. Configure the second FortiAnalyzer. In the CLI, enter the following commands:
config system ha
set mode a-a
set group-id 100
set group-name "FAZVM64-HA"
set hb-interface "port1"
set unicast enable
set password xxxxxx
config peer

FortiAnalyzer 7.4.0 New Features Guide 114

Fortinet Inc.
 System

edit 1
set ip "192.168.2.102"
set serial-number "FAZ-VMTM-----7"
next
end
end
2. If the alternate FortiAnalyzer can be configured on FortiGate, set server to the HA primary and set alt-
server to the HA secondary. In the FortiGate CLI, enter:
config log fortianalyzer setting
set status enable
set ?
...
*server The main remote FortiAnalyzer.
alt-server The alternate remote FortiAnalyzer.
...
set server 192.168.2.102
set alt-server 192.168.1.101
...
end
3. If the alternate FortiAnalyzer cannot be configured on FortiGate, set server to a HA member which is reachable
from the FortiGate or to the VIP address of the FortiAnalyzer HA, if any. In the FortiGate CLI, enter:
config log fortianalyzer setting
set status enable
...
set server 192.168.2.102 (or 10.2.60.93)
...
end

Administrators

This section lists the new features added to FortiAnalyzer for administrators:
l A new restricted admin profile can be used to only change the administrators passwords 7.4.2 on page 115
l Per-ADOM admin profile 7.4.2 on page 118

A new restricted admin profile can be used to only change the administrators
passwords - 7.4.2

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Administrator profiles

A new restricted admin profile can be used to only change the administrators passwords.

FortiAnalyzer 7.4.0 New Features Guide 115

Fortinet Inc.
System

l A new admin profile called Password_Change_User has been added.

l The admin profile has all permissions in the FortiAnalyzer GUI set to None.

l The admin profile has the following permissions in the CLI:

l write-passwd-access: Read/Write.

l rpc-permit: Read/Write.

l When the admin profile is applied to a user, the user will see "No access privilege" when attempting to log into the
FortiAnalyzer GUI.

FortiAnalyzer 7.4.0 New Features Guide 116

Fortinet Inc.
System

l The user can only access FortiAnalyzer using the CLI or API. When logging in via CLI or API, the admin is able to
change user's passwords.

To specify which user/profile passwords can be changed:

1. In the FortiAnalyzer CLI, enter the following commands to configure write-passwd-access:

config system admin profile
edit Password_Change_User
set write-passwd-access
all All users.
specify-by-profile Specify by profile.
specify-by-user Specify by user.
set write-passwd-access
There are 3 options, by default allow to change all user's password.
l all: Password_Change_User admins can change the password for all users.
l specify-by-profile: Only allow the password of users who are using these profiles to be changed.
set write-passwd-access specify-by-profile
set write-passwd-profiles
profileid Profile ID.
Restricted_User profile
Standard_User profile
Super_User profile
Package_User profile
No_Permission_User profile
Password_Change_User profile
profile1 profile
set write-passwd-profiles Restricted_User Standard_User profile1
In this example, Restricted_User, Standard_User, and profile1 are selected. Password_Change_User admins
can only change the password of users who are using the Restricted_User, Standard_User, or profile1 profile.
The user can't change password of users who are using the Super_User profile for instance.
l specify-by-user: Only allow the password of users in the list to be changed.
set write-passwd-access specify-by-user
set write-passwd-user-list
<userid> users

FortiAnalyzer 7.4.0 New Features Guide 117

Fortinet Inc.
 System

admin
test
test1
test2
test3
set write-passwd-user-list test test3
In this example, test and test3 are selected. Password_Change_User admins can only change the password of
the test and test3 user. Users cannot change the password of admin, test1, or test2.

Per-ADOM admin profile - 7.4.2

A per-ADOM admin profile allows the administrator to log in on different ADOMs with different admin profiles.

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Creating administrators

To assign a per-ADOM admin profile:

1. Create multiple ADOMs, as needed. In this example, adom1 and adom2 have been created.

FortiAnalyzer 7.4.0 New Features Guide 118

Fortinet Inc.
System

2. Create multiple Admin Profiles with different access, as needed. In this example, profile1_write and
profile2_read have been created.

3. Go to System Settings > Administrators, and click Create New.

Alternatively, you can select an existing administrator and click Edit.
4. For Administrative Domain, select Specify and select the ADOMs the user should have access to.

FortiAnalyzer 7.4.0 New Features Guide 119

Fortinet Inc.
System

5. For Admin Profile, select Per-ADOM.

If Single is selected, the administrator will only have one admin profile for all ADOMs.
When Per-ADOM is selected, the Admin Profile setting displays the list of ADOMs that you specified access to for
the administrator. A Profile dropdown is available for each ADOM.
6. Using the Profile dropdowns, select an admin profile for each ADOM.
The profile determines the administrator's access to the FortiAnalyzer features when they are in that ADOM.
In the example below, a different profile is selected for each ADOM. The user admin1 will have profile1_write
access in adom1 and profile2_read access in adom2.

In System Settings > Administrators, the Profile column lists the profiles selected per-ADOM.
7. Configure the other settings for the administrator, and click OK.
In this example, admin1 has write access in adom1 and read access in adom2. See below.

FortiAnalyzer 7.4.0 New Features Guide 120

Fortinet Inc.
 System

Others

This section lists the new features added to FortiAnalyzer for other features relating to system settings:
l FortiAnalyzer GUI enhancements on page 121
l Fabric of FAZ topology chart on page 125
l Fabric of FAZ: member authorization with supervisor on page 127
l Fabric of FAZ global FortiView support on page 132
l Fabric of FAZ: Central report support and creating Fabric groups on page 134
l Block out contract device from upgrading to next or major or minor release on page 137
l FortiManager and FortiAnalyzer support HTTP/2 for improved security, multiplexing, and reduced network latency
7.4.1 on page 139
l Backup strategy and configuration setup added to the FortiAnalyzer setup wizard 7.4.2 on page 141

FortiAnalyzer GUI enhancements

To enhance the user experience and to align to FortiOS, the following changes have been added to the FortiAnalyzer
GUI:
l Uses a new and customizable landing page (Dashboard)
l Uses Neutrino framework
l Adopts a 3-layer navigation, making all menus accessible via a single click
The Dashboard includes widgets, such as Log Status and Alert Message Console. You can toggle which widgets display
from the Toggle Widget dropdown.

FortiAnalyzer 7.4.0 New Features Guide 121

Fortinet Inc.
System

You can access other pages, such as Device Manager, from the left-pane navigation.

If there are sub-menus, as in FortiView, the left-pane navigation will expand to show other pages in that section.

FortiAnalyzer 7.4.0 New Features Guide 122

Fortinet Inc.
System

Further sub-menus may also be available along the top of the pane. For example, in the image below, the admin has
navigated to FortiView > Traffic > Top Destinations.

When available, you can click the horizontal view icon ( ) to switch to a vertical display of the sub-menu. The sub-menu
will then display in a left-pane navigation instead.

FortiAnalyzer 7.4.0 New Features Guide 123

Fortinet Inc.
System

Click Toggle Horizontal Menu to return to the horizontal display at the top of the pane.

On any page in the GUI, you can click the menu icon ( ) to hide the left-pane navigation. Click the menu icon ( ) again to
re-open the left-pane navigation.

FortiAnalyzer 7.4.0 New Features Guide 124

Fortinet Inc.
System

Fabric of FAZ topology chart

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:
l Configuring the FortiAnalyzer Fabric

A FortiAnalyzer Fabric topology chart is displayed on the supervisor to quickly identify connected members and their
corresponding status.

FortiAnalyzer Fabric supervisor:

To view the topology on the supervisor, go to System Settings > Fabric Management > Fabric Settings. In the Fabric
Members section, the topology displays all connected members.

FortiAnalyzer 7.4.0 New Features Guide 125

Fortinet Inc.
System

You can hover over the role for a FortiAnalyzer in the topology to display more information in a tooltip.

You can also see the topology in the supervisor's Log View. Hover over a FortiAnalyzer in the FortiAnalyzer Host Name
column to view the topology in a tooltip.

FortiAnalyzer Fabric member:

To view the topology on a member, go to System Settings > Fabric Management > Fabric Settings. In the Fabric
Members section, the topology displays only the connection to the supervisor. It does not display the other members in
the FortiAnalyzer Fabric.

FortiAnalyzer 7.4.0 New Features Guide 126

Fortinet Inc.
System

Fabric of FAZ: member authorization with supervisor

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:
l Configuring the FortiAnalyzer Fabric

The FortiAnalyzer Fabric authentication process has been enhanced by implementing the following:
l Members can join the FortiAnalyzer Fabric by entering the cluster name and IP of the supervisor. No static
password is required.
l The supervisor can authorize and reject members from joining the FortiAnalyzer Fabric.
l A trusted-list can be configured on the FortiAnalyzer Fabric supervisor to automatically authorize members if
they match the configured serial number.
l A trusted-list can be configured on FortiAnalyzer Fabric members, so that they will join the FortiAnalyzer
Fabric only if the supervisor matches the configured serial number.

FortiAnalyzer Fabric supervisor:

When configuring a FortiAnalyzer Fabric supervisor in System Settings > Fabric Management, there is no password
configuration in the Fabric Settings.

FortiAnalyzer 7.4.0 New Features Guide 127

Fortinet Inc.
System

When members join the FortiAnalyzer Fabric, they will display in the topology for the supervisor. From this topology in
the supervisor, you can authorize or reject the members.

If authorized, the member will join the FortiAnalyzer Fabric and it will remain visible in the topology.

FortiAnalyzer 7.4.0 New Features Guide 128

Fortinet Inc.
System

If rejected, the member will be removed from topology and it will be blocked from attempting to re-join the FortiAnalyzer
Fabric for 10 minutes.

FortiAnalyzer 7.4.0 New Features Guide 129

Fortinet Inc.
System

FortiAnalyzer Fabric members:

When joining a FortiAnalyzer Fabric as a member, go to System Settings > Fabric Management. You do not need to
enter a password. Instead, enter the cluster name and IP of the supervisor.

After configuring the FortiAnalyzer as a member, the Authorization field will display Pending.

Once the member is authorized by the supervisor, the Authorization field will change to Accepted. The topology will
display this member and the supervisor, but it will not display other members in the FortiAnalyzer Fabric.

FortiAnalyzer 7.4.0 New Features Guide 130

Fortinet Inc.
System

If the member is rejected by the supervisor, the Authorization field will change to Rejected. The member must wait 10
minutes before sending another request to join the FortiAnalyzer Fabric. To try again, click apply after the block-out time
is complete.

To leave a FortiAnalyzer Fabric, go to System Settings > Fabric Management > Fabric Settings in the member and set
the Status to disabled. A message will display to confirm the action.

After confirming the message, click Apply to save the configuration.

FortiAnalyzer 7.4.0 New Features Guide 131

Fortinet Inc.
 System

If needed, the member can re-join the FortiAnalyzer Fabric, but it will need to be authorized by the supervisor again.

Trusted-list for a FortiAnalyzer Fabric:

The trusted-list configuration is completed on the CLI for both the supervisor and the members.
In the supervisor's CLI, you can add members' serial numbers to a trusted-list. This supports wildcard; for example,
FAZ-VMTM120033*. Once a member's serial number is added to the trusted-list, that FortiAnalyzer can
automatically join the FortiAnalyzer Fabric as a member without the supervisor's authorization.
To add a member to the trusted-list, enter the following command in the supervisor's CLI:
config system soc-fabric
config trusted-list
edit 1
set serial <member's serial number, which can include wildcards (*)>
end
end

In the member's CLI, you can configure a trusted-list with the supervisor's serial number to verify the legitimacy of
the supervisor. This prevents data leakage to a falsified supervisor. Members will only join the FortiAnalyzer Fabric when
the supervisor's serial number matches the members trusted-list.
To configure a trusted-list on a member, enter the following command in the member's CLI:
config system soc-fabric
config trusted-list
edit 1
set serial <Supervisor's serial number>
end
end

For members without a trusted-list configured, they will treat all supervisors as legitimate.

Fabric of FAZ global FortiView support

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:
l FortiView

The FortiAnalyzer supervisor allows you to see FortiView analytics across the entire FortiAnalyzer Fabric. For more
granular analysis, you can filter by the FortiAnalyzer members or ADOMs.

FortiAnalyzer 7.4.0 New Features Guide 132

Fortinet Inc.
System

In the FortiAnalyzer Fabric supervisor, go to the FortiView panes. The information in these panes are generated from all
members in the Fabric cluster. See the below example of FortiView > Threats > Top Threats.

Double-click an entry to drill down to a Log View of the information. In this view, you can determine the member using the
FortiAnalyzer Host Name column.

You can also filter the FortiView panes by the Fabric members or ADOMs in the device list.

FortiAnalyzer 7.4.0 New Features Guide 133

Fortinet Inc.
 System

Fabric of FAZ: Central report support and creating Fabric groups

This information is also available in the FortiAnalyzer 7.4 Fabric Deployment Guide:
l Reports

l Fabric Groups

Reports can now be executed from the Fabric supervisor that fetches and aggregates data from multiple FortiAnalyzer
Fabric members. Reports are centrally visible on the supervisor.
Additionally, FortiAnalyzer Fabric members or ADOMs can be grouped in a Fabric Group, which can be used in the Log
View, FortiView and Reports device filter.

Reports:

The Reports panes are available in the FortiAnalyzer Fabric supervisor.

FortiAnalyzer 7.4.0 New Features Guide 134

Fortinet Inc.
System

In the supervisor, you can edit a report to specify which devices (Fabric members, ADOMs, and Fabric Groups) to
include when running the report.

The reports' formats, charts, and tables are the same as a regular FortiAnalyzer's, but they include aggregated results
from all the selected members.

To create a Fabric Group in a FortiAnalyzer Fabric:

1. In the FortiAnalyzer Fabric supervisor, go to System Settings > Fabric Management > Fabric Groups.

2. Click Create New.

3. In the Group Name field, enter a name for the Fabric Group.
4. In the Add Member section, select the FortiAnalyzer Fabric members to include.
To add only specific ADOMs from the member, expand the member in the list and select the ADOMs to include.

FortiAnalyzer 7.4.0 New Features Guide 135

Fortinet Inc.
System

5. Click OK.
The Fabric Group can now be edited or deleted from the table.

The Fabric Group is also visible in Device Manager.

It can be selected in the device filter for FortiView, Log View, and Reports. See an example in Log View below.

FortiAnalyzer 7.4.0 New Features Guide 136

Fortinet Inc.
 System

Block out contract device from upgrading to next or major or minor release

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l Updating the system firmware

To view available FortiGuard images:

1. A FortiAnalyzer with a valid contract will display all available FortiGuard images and allow upgrading or
downgrading to any version.

FortiAnalyzer 7.4.0 New Features Guide 137

Fortinet Inc.
System

l System Settings:

2. A FortiAnalyzer without a valid contract or with an expired contract will only display available patch images and
support patch upgrades.

FortiAnalyzer 7.4.0 New Features Guide 138

Fortinet Inc.
 System

l System Settings:

FortiManager and FortiAnalyzer support HTTP/2 for improved security, multiplexing,

and reduced network latency - 7.4.1

FortiManager and FortiAnalyzer support HTTP/2 for improved security, multiplexing, and reduced network latency.
l Before this feature was implemented, HTTP/1.1 is used and can be viewed in the browser's Web Developer Tools:

FortiAnalyzer 7.4.0 New Features Guide 139

Fortinet Inc.
System

l After apache-mode is set to "event", HTTP/2 is used and can be viewed in the browser's Web Developer Tools:

FortiAnalyzer 7.4.0 New Features Guide 140

Fortinet Inc.
 System

To configure the apache-mode in the FortiAnalyzer CLI:

Enter the following command in the FortiAnalyzer CLI:

config system global
set apache-mode {event| prefork}
event Apache event mode.
prefork Apache prefork mode.
set apache-mode event
end

Backup strategy and configuration setup added to the FortiAnalyzer setup wizard -
7.4.2

Backup strategy and configuration setup has been added to the FortiAnalyzer setup wizard.

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l FortiAnalyzer Setup Wizard

To set a backup strategy using the onboarding wizard:

1. When logging into FortiAnalyzer, the new Backup Strategy option will be displayed as part of the setup wizard if it
has not already been completed.

2. After the Register and SSO with FortiCare, Specify Hostname, Change Your Password, and Upgrade Firmware
steps are completed, you can proceed to configure your Backup Strategy.
l If you do not wish to set a backup strategy at this time, you can click Later to postpone the task. Next time you
log in to FortiAnalyzer, you will see that the Backup Strategy task is not completed and you will be prompted to
complete the configuration.
3. To configure the backup strategy, enter the following configuration:

FortiAnalyzer 7.4.0 New Features Guide 141

Fortinet Inc.
System

a. Backup Configuration File to: Settings that determine where the backup file will be saved.
b. Backup Frequency: Settings that determines how often the backup will be performed.
c. Encryption: Set a password for encryption of the backup configuration.
d. Click Next to complete the configuration.

The next time you log in to FortiAnalyzer, the Backup Strategy task will be displayed with a check mark indicating
completion.

You can go to Dashboard to view the Next Backup date and time in the System Information widget.

FortiAnalyzer 7.4.0 New Features Guide 142

Fortinet Inc.
Cloud Services

Cloud Services

This section lists the new features added to FortiAnalyzer for cloud services:
l FortiAnalyzer supports FortiCare Elite Service on page 143

FortiAnalyzer supports FortiCare Elite Service

FortiAnalyzer and FortiAnalyzer Cloud now supports FortiCare Elite Service.

To use this service, cloud management must be enabled on the FortiAnalyzer and the FortiGate Cloud portal.

Log forwarding configuration to the Elite Service can be viewed in the FortiAnalyzer GUI. This log forwarding
configuration cannot be edited or deleted.

The log forward configuration to Elite Service is also visible in the FortiAnalyzer CLI. For example:
config system log-forward
edit 40000
set mode forwarding
set fwd-max-delay realtime

FortiAnalyzer 7.4.0 New Features Guide 143

Fortinet Inc.
Cloud Services

set server-name "elite"

set server-addr "172.16.94.93"
set fwd-server-type elite-service
set fwd-reliable enable
set fwd-compression enable
set fwd-archives disable
set proxy-service disable
config device-filter
edit 1
set action include-like
set device "*"
next
end
set log-filter-status enable
config log-filter
edit 1
set field level
set oper >=
set value "critical"
next
edit 2
set field logid
set value "0110052000"
next
end
set signature 1449934396
next

You can disable the Elite Service in the FortiAnalyzer CLI, if needed. It can also be re-enabled using the same
command. In the FortiAnalyzer CLI, enter:
config system central-management
set elite-service {enable | disable}
end

If elite-service is disabled, the log forwarding to Elite Service will automatically be removed. FGC will push the
configuration back if the elite-service is later set to enable.
FAZVM64 # config system central-management
(central-management)# get
type : cloud-management
elite-service : enable

Logs that meet the filter within the log forward configuration will be forwarded to Elite log server. See a sample log in the
FortiAnalyzer GUI below:

FortiAnalyzer 7.4.0 New Features Guide 144

Fortinet Inc.
Cloud Services

Sample logs from Elite log server:

2023-04-14 13:50:42,136 DEBUG Processing /dev/shm/fams/log_upload/proc/FAZ-
VMTM22090591.1264692.nrt.e.1681505055.562204.34406
2023-04-14 13:50:42,137 DEBUG Create new raw log file: elog_20230414_135042 for (*****,
elog)
2023-04-14 13:50:47,083 DEBUG ---sending elite kafka msg---,
elitelogserver.remoteaccessmgr.faz.fsbp, {"action":"downloadFsbpFile","data":
{"fazSn":"FAZ-
VMTM22090591","fgtSn":"FGVMSLTM22002986","auditId":*****,"accountId":*****,"auditTime"
:1681490426}}

Note that this log forward configuration does NOT impact other types of log forwarding.

The Elite log server can call API to get the Fortinet Security Best Practices (FSBP) reports.
API:
{
"apiver": 3,
"url": "/fazsys/auditrpt/fgt-orig-rpt",
"data":
{
"devid": "FGVMSLTM22002986",
"auditID": "1681505424727"

FortiAnalyzer 7.4.0 New Features Guide 145

Fortinet Inc.
Cloud Services

}
}

The reports are updated in FortiAnalyzer:

This log forward config does not impact other types of log forward in FortiAnalyzer.

FortiAnalyzer 7.4.0 New Features Guide 146

Fortinet Inc.
Operational Technology

Operational Technology

This section lists the new features added to FortiAnalyzer for Operational Technology:
l Operational Technology (OT) Security Service on page 147
l OT Purdue Model in a consolidated Asset & Identity Center Dashboard on page 149
l OT Security Risk Report on page 152

Operational Technology (OT) Security Service

Upon purchasing the OT Security Service Entitlement, the Asset Identity Center in FortiAnalyzer will include valuable
information regarding the detected OT/IoT vulnerabilities. This includes information such as:
l A breakdown of OT/IoT vulnerabilities with corresponding severity
l Top 10 OT/IoT vulnerabilities by number of occurrences
l Top 10 assets with OT/IoT vulnerabilities
l Details of the vulnerabilities per endpoints
With this service, you can access the following features:
l Go to Asset Identity Center > Summary for OT/IoT Vulnerability widgets.

If you do not have a license for the service, the widgets will not be visible.

FortiAnalyzer 7.4.0 New Features Guide 147

Fortinet Inc.
Operational Technology

l Go to Asset Identity Center > Asset Identity List > Asset List to view OT/IoT Vulnerabilities in the table.

l Click the numbers in the OT/IoT Vulnerabilities column to display the vulnerabilities in more detail, including Type,
Severity, Reference, and Description.

l Click the CVE reference in the Reference column to view the details.

FortiAnalyzer 7.4.0 New Features Guide 148

Fortinet Inc.
Operational Technology

l In the FortiAnalyzer CLI, you can enter the following command to check the status of the endpoint data link between
FortiAnalyzer and FortiGate:
diagnose test application oftpd 20 fgt-stat

OT Purdue Model in a consolidated Asset & Identity Center

Dashboard

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

l OT View

An OT Purdue model has been added to a new and consolidated Asset & Identity Center.
This spec introduces a consolidated dashboard for both Assets and Identities: Fabric View > Asset Identity Center. In
previous versions, Asset and Identity each had a separate dashboard.
In the new OT View, each asset is represented in its corresponding Purdue Layer. All associated endpoints are visible
with clear, linear relationships.
To view the new OT View, go to Fabric View > Asset Identity Center > OT View.

FortiAnalyzer 7.4.0 New Features Guide 149

Fortinet Inc.
Operational Technology

Use the Select Devices fields to display all endpoints associated with specified devices.

Use the Search field to find a specific endpoint, as needed.

FortiAnalyzer 7.4.0 New Features Guide 150

Fortinet Inc.
Operational Technology

Click an endpoint to review the details of the endpoint or the endpoint's group.

Within the OT View pane, click Custom View > Save As Custom View to create a custom view.

The saved custom views are available in Fabric View > Asset Identity Center > Custom View.

When using Fabric View > Asset Identity Center > Asset List, you can right-click an endpoint and click Show in OT view
to display it in the OT view instead of the asset list.

FortiAnalyzer 7.4.0 New Features Guide 151

Fortinet Inc.
Operational Technology

After clicking Show in OT view, the Fabric View > Asset Identity Center > OT View opens to display the selected
endpoint.

OT Security Risk Report

An Operational Technology (OT) Security Risk Report has been added to provide:
l Application risk analysis for OT and IT zones
l Blind-spot and hidden risks detection
l Purdue Model asset mapping
For example, see a sample of the report in PDF format below:

FortiAnalyzer 7.4.0 New Features Guide 152

Fortinet Inc.
Operational Technology

To create the report from the template:

1. Go to Reports > Report Definitions > Templates.

From the Preview column, you can click PDF or HTML to preview the report in that format.
2. Select the checkbox for Template - Operational Technology (OT) Security Risk Report.

FortiAnalyzer 7.4.0 New Features Guide 153

Fortinet Inc.
Operational Technology

3. From the More dropdown, click Create Report to create a report using the template.
You can also click Clone to clone the template and make adjustments.

To run the Operational Technology (OT) Security Risk Report:

1. Go to Reports > Report Definitions > All Reports, and double-click the row for the Operational Technology (OT)
Security Risk Report.
The Edit: Operational Technology (OT) Security Risk Report pane opens.
2. Click Run Report.
Once the report is available, click the format to view the report in.

FortiAnalyzer 7.4.0 New Features Guide 154

Fortinet Inc.
Other

This section lists the other new features added to FortiAnalyzer:

l Licensing adjustment on page 155

Licensing adjustment

Version 7.4.0 introduces multiple adjustments to the FortiAnalyzer licensing model to accommodate extra licenses:
l Security Operations > Security Automation has been renamed to FortiGuard > Security Automation
l A new subscription has been introduced for OT Security Service, enabling access to OT-related features like the OT
Dashboard and report. This can be found on the FortiAnalyzer GUI under the name Industrial Security Service.
l A new subscription has been introduced for Security Rating and Compliance, allowing access to additional
compliance reports such as PCI, FSBP, and CIS. This can be found on the FortiAnalyzer GUI under the name
Security Rating Update.
These licenses are visible in the License Information widget.

If licensed for the Industrial Security Service, the OT/IoT Vulnerability widgets will be visible in Fabric View > Asset
Identity Center > Summary.

FortiAnalyzer 7.4.0 New Features Guide 155

Fortinet Inc.
Other

The OT/IoT Vulnerabilities will also be available in Fabric View > Asset Identity Center > Asset Identity List.

If unlicensed for the Industrial Security Service, these features will not be available.

FortiAnalyzer 7.4.0 New Features Guide 156

Fortinet Inc.
Other

For more information about OT features in FortiAnalyzer, see Operational Technology on page 147.

FortiAnalyzer 7.4.0 New Features Guide 157

Fortinet Inc.
 Index

Index

The following index provides a list of all new features added to FortiAnalyzer 7.4. The index allows you to quickly identify
the version where the feature first became available in FortiAnalyzer.
Select a version number to navigate in the index to the new features available for that release:
l 7.4.0 on page 158
l 7.4.1 on page 159
l 7.4.2 on page 160

7.4.0

Fabric View

Connectors l Webhook Connector to Support MS Teams on page 9

Security Operations

Incident and event management l New predefined correlation event handlers on page 16

Asset and identity l New charts in the Asset Identity Center on page 40

Other enhancements l FortiSoC GUI reorganization on page 42

Log and Report

Logging l FortiAnalyzer supports FortiWeb Cloud attack logs on page 63

l Support parsing and addition of third-party application logs to the SIEM DB
on page 64
l Per-ADOM log rate on page 70

Log forwarding l Fluentd support for public cloud integration on page 83

Reports l Report guidance on page 87

l PCI Security Rating Report on page 89
l Cyber Threats Assessment Report update on page 90
l Threat Report update on page 91
l FSBP Security Rating Report on page 93
l CIS Controls Security Rating report on page 94
l Shadow IT Report on page 95

FortiAnalyzer 7.4.0 New Features Guide 158

Fortinet Inc.
 Index

Other enhancements l Time zone settings per ADOMs/Reports on page 106

l New API to restore logs on page 109

System

High availability l Geo-redundant High Availability (HA) on page 112

Other enhancements l FortiAnalyzer GUI enhancements on page 121

l Fabric of FAZ topology chart on page 125
l Fabric of FAZ: member authorization with supervisor on page 127
l Fabric of FAZ global FortiView support on page 132
l Fabric of FAZ: Central report support and creating Fabric groups on page
134
l Block out contract device from upgrading to next or major or minor release on
page 137

Cloud Services

Cloud services l FortiAnalyzer supports FortiCare Elite Service on page 143

Operational Technology

Operational Technology l Operational Technology (OT) Security Service on page 147

l OT Purdue Model in a consolidated Asset & Identity Center Dashboard on
page 149
l OT Security Risk Report on page 152

Other

Other enhancements l Licensing adjustment on page 155

7.4.1

Security Operations

SOAR SIEM l Playbook event trigger correleation rules 7.4.1 on page 15

Dashboards l SD-WAN Cloud Assisted Monitoring service widgets 7.4.1 on page 27

FortiAnalyzer 7.4.0 New Features Guide 159

Fortinet Inc.
 Index

l Data leak prevention monitor in FortiView 7.4.1 on page 31

l FortiProxy monitor in FortiView 7.4.1 on page 34

Other enhancements l Notifications for new Outbreak Alerts 7.4.1 on page 45

l MITRE ATT&CK matrices for Enterprise and ICS 7.4.1 on page 47

Log and Report

Logging l Support EMS multitenancy via FortiAnalyzer ADOMs 7.4.1 on page 72

l Logging support for FortiCASB 7.4.1 on page 74
l Logging support for FortiPAM 7.4.1 on page 76
l Logging support for FortiToken Cloud 7.4.1 on page 77
l Support parsing and addition of third-party application logs to the SIEM DB in
JSON format 7.4.1 on page 78
l FortiAnalyzer supports packet header information for FortiWeb traffic log
7.4.1 on page 80

Reports l FortiADC Report 7.4.1 on page 97

l Default ZTNA Report 7.4.1 on page 98
l FortiEDR Report 7.4.1 on page 99
l ISO 27001:2022 Compliance Security Rating Report 7.4.1 on page 101
l Exporting a report with settings 7.4.1 on page 102

System

Other enhancements l FortiManager and FortiAnalyzer support HTTP/2 for improved security,
multiplexing, and reduced network latency 7.4.1 on page 139

7.4.2

Security Operations

Incident and event management l Update to the Event Handler rule configuration 7.4.2 on page 22

Dashboards l Indicator of Compromise log types and custom view 7.4.2 on page 36
l Replay attacks in the Threat Map 7.4.2 on page 38

Other enhancements l Reports, event handlers, log parsers, and playbooks delivered as FortiGuard
packages 7.4.2 on page 58

FortiAnalyzer 7.4.0 New Features Guide 160

Fortinet Inc.
 Index

Log and Report

Logging l Additional log fields for long live session logs 7.4.2 on page 82

Reports l HIPAA Compliance Security Rating Report 7.4.2 on page 104

System

Administrators l A new restricted admin profile can be used to only change the administrators
passwords 7.4.2 on page 115
l Per-ADOM admin profile 7.4.2 on page 118

Other enhancements l Backup strategy and configuration setup added to the FortiAnalyzer setup
wizard 7.4.2 on page 141

FortiAnalyzer 7.4.0 New Features Guide 161

Fortinet Inc.
 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.