FortiSIEM Creating a Structured Historical Search

Leave a reply

Creating a Structured Historical Search

Prequisites

Procedure

Prequisites

If you need to familiarize yourself with how historical search works or the historical search interface, you should read these topics:

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Structured Search Operators

Procedure

  1. Log in to your Supervisor node.
  2. Go to Analytics > Historical Search.
  3. For Filter Criteria, select Structured.

The Conditions and Group By search window will open.

  1. Click the downward arrow in the search window to open the Conditions and Group By

Alternatively you can click to use a saved Filter Criteria Set.

  1. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

  1. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

  1. Under Group By, set the event attributes that you want to use to group the results, as described in Example of How a Structured Historical Search is Processed.
  2. Click OK.

You can also click Save as Filter Criteria Set, and these conditions and group by attributes will be available for future historical searches by clicking next to the search window.

  1. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

  1. For multi-tenant deployments, select the Organization you want to run the search against.
  2. For Time, set the interval over which you want the search to run.
  3. Click Run.

The results of your search will appear in the chart and results list.

Using System-Defined Reports for Historical Search

FortiSIEM includes a number of pre-defined reports that you can use as the basis for historical searches.

Viewing Available Reports

Using System-Defined Reports in Historical Searches

Viewing Available Reports

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports.
  3. Select a report group in the navigation pane, and then a report.

Each report includes four information tabs:

Tab Description
Summary Includes name, description, and all the criteria used in constructing the historical search for the report
Schedule Any scheduled runs for the report. See Scheduling Reports for more information.
Results Any saved results from running the report
Defintion The XML definition of the report

Using System-Defined Reports in Historical Searches

  1. Log in to your Supervisor node.
  2. Go to Analytics > Historical Search.
  3. Click Load Report.
  4. Select the report you want to use, and then click OK.
  5. Follow the same steps that you would for Creating a Structured Historical Search.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.