FortiSIEM Running Historical Searches to Test Rule Sub Patterns

Running Historical Searches to Test Rule Sub Patterns

If you are trying to analyze why a rule is triggering an excessive number of incidents, or why it isn’t triggering any, you can run an historical search with the rule sub patterns to see how the sub pattern behaves in relation to past events. If the search has interesting results, you can then generate a report for further investigation. This is a way that you can test rules without having to deactivate them.

  1. Go to Analytics > Rules.
  2. Select a rule and then click Edit.
  3. Click Edit next to the sub pattern you want to use in the search.
  4. Click Run as Query.
  5. Enter information for the time period you want to search.
  6. Click OK.

An historical search will run based on the sub pattern filters, aggregate conditions, and group by conditions.

Using a Sub Pattern in a Report

If the search includes results that you want to share or investigate further, you can save the rule as a report.

  1. In the sub pattern you want to save, click Save as Report.

The report will be saved in Analytics > Reports, and will have the phrase From Rule in the report name.

  1. Select the report and click Run Now to generate a report from the sub pattern.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.