FortiSIEM Defining the Incident Generated by a Rule

Defining the Incident Generated by a Rule

Defining an incident involves setting attributes for the incident based on the subpatterns you created as conditions for the rule, and then setting attributes for the incident that will be used in analytics and reports.

  1. In the rule you want to define an incident for, click Edit next to Actions: Generate Incident.
  2. Enter an Incident Name, Display Name, and Description.
  3. Under Incident Attributes, you will define attributes for the incident based on the Group By and Aggregate Conditions attributes you set for your sub patterns. Typically you will set the Incident attributes to be the same as the Group by attributes in the subpattern. a. Select the Event Attribute you want to add to Incident.
    1. Select a Subpattern.
    2. This will populate values from the Group By attributes in the subpattern to the Filter Attribute
    3. In the Filter menu, select the attribute you want to set as equivalent to the Event Attribute.
  4. Under Triggered Event Attributes, select the attributes from the triggering events that you want to include in dashboards and analytics for this event.

This is pre-populated with typical attributes you would want included in an incident report.

  1. Click OK.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.