FortiSIEM Converting an Historical Search to a Rule

Converting an Historical Search to a Rule

Example

Procedure

Example

While using historical search, you may observe a pattern that you want to use as a rule so if the pattern recurs, it will trigger an alert. For example, in an historical search you may notice excessive traffic going outside your country or the countries you do business with. You can generate a rule to watch for this traffic pattern from within the historical search.

These screenshots show the conditions and results for the example of an historical search for excessive outgoing traffic.

Following this example, you may now want to create a rule that will send you an alert when a particular source sends more than 1000 connections, or more that 5MB of traffic, in five minutes.

Procedure

  1. In the historical search that you want to use as the basis for your rule, click Create Rule.

The Rule Editor will load, with most information for the rule auto-populated from the search. You can also read the topics under Rules for more information about creating rules.

  1. Enter a Rule Name and Description.
  2. Set the Severity to associate with incidents generated by this rule.
  3. Set the Incident Category to associate with incidents generated by this rule.
  4. Set the number of seconds for the Time Window that this rule should apply to.

In the example of excessive outgoing traffic over a five minute period, this would be set to 300.

  1. Under the Conditions, click the Edit icon for Filter_1.

You will see that all your filter conditions for the search have been populated into this sub pattern.

  1. You can now edit the Filter and Aggregate conditions for your original search, or change the Group By conditions.
  2. Click Save when you’re done editing the rule.

This screenshot show editing the rule sub pattern Filter_1 from the original rule conditions, with the Aggregate Conditions for COUNT(Matched Events) and SUM(Total Bytes) to 1000 and 5242880 to match the new alert conditions from the example historical search, and the AND operato r changed to OR.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.