Creating Event Attributes, Event Types, and Device Types

When you create a custom parser or monitor, you must also specify the device, application, event type, and event attribute to which it applies. If these objects aren’t already included in the FortiSIEM CMDB, you can create them as a preliminary step to creating your parser or monitor.

Creating Device and Application Types

Creating Event Attribute Types Creating Event Types

Creating Device and Application Types

If the device or application that you want to create a parser or monitor for isn’t already listed in Admin > Device Support > Device/App Types, you can add it.

1. Go to Admin > Device Support > Device/App Types.
2. Click New, and then choose New Device Type or New Application Type.
3. Enter the information for the new device or application type.

4. Click Save.

Creating Event Attribute Types

Event attributes are used to capture parsed information from events. You only have to create a new attribute if the one you want use for your custom parser or monitor is not listed in Admin > Device Support > Event Attribute Types.

2. Click New.
3. Enter a Name and Display Name.
4. Select the Value Type to associate with the event attribute type.
5. Optionally enter a Display Format Type and Description.
6. Click Save.

Creating Event Types

After parsing an event or log, FortiSIEM assigns a unique event type to that event/log. When you create a new custom parser for device logs, you almost always have to add a new event type to FortiSIEM so the log events can be identified.

1. Go to Admin > Device Support > Event Types.
2. Click New.
3. Enter a Name for the new event type.
4. Select the Device Type to associate with the event type.

If the device type isn’t included in the menu options, you can add it to FortiSIEM.

5. Select the Event Type Group category for this event type.
6. Select a Severity to associate with the event type.
7. Enter an optional Description.
8. Click Save.