FortiSIEM Setting Global and Per-Device Threshold Properties

Setting Global and Per-Device Threshold Properties

Overview

Defining a Global Threshold Property

Defining Per-Device Threshold Properties

Using the DeviceToCMDBAttr Function in a Rule

Overview

In many cases when you create a rule, you set values for device thresholds that should trigger an incident. The example of a rule with a single sub-pattern, for example, contains a condition where if the average CPU utilization of a server exceeds 95% over 3 samples, an incident should be triggered. This is an example of setting an absolute value for the threshold in the rule itself.

Instead of setting an absolute value for the threshold, you can define global threshold properties that you can use as functions within a rule, and also define these threshold properties on a per-device basis. The advantage of this approach is that if you want to change the threshold values in a rule, you can edit the threshold property, rather than having to edit the rule. This is accomplished by using the DeviceToCMDBAttr function to return the value set for that device in the rule.

This table illustrates the difference between using an absolute value, shown in the first column, and threshold property, shown in the second column, in the aggregation conditions for a rule. For the threshold property, the function takes the form of DeviceToCMDBAttr(Host IP,

Threshold Property), while it takes the form of DeviceToCMDBAttr(Host IP, Component, Threshold) for devices with components as shown in the second example.

Rule Name Aggregate Condition based on

Absolute Value

Aggregate Condition based on Threshold Property Value
Server CPU Critical AVG(CPU Utilization) > 95 AVG(CPU Utilization) > DeviceToCMDBAttr (Host IP,Server CPU Util Critical Threshold)
Server Disk Space

Critical

AVG(Disk Utilization) > 99 AVG(Disk Utilization) > DeviceToCMDBAttr(Host IP,Disk Name,Disk Space Util Critical Threshold)

In the first example, when the rule evaluates the function, the Server CPU Critical rule will return the value of Server CPU Util Critical

Threshold for the host IP if that has been defined for the reporting device, otherwise the global threshold value will return. In the second example, if the Disk Space Util Critical Threshold is defined for a (Host IP,Disk Name) tuple, then the function returns that value, otherwise the global threshold value returns. This is an example of a Map threshold, in which there is one threshold value for each component, and which apply only to disk and interface components.

Defining a Global Threshold Property

AccelOps includes over 30+ pre-defined global threshold properties that you can edit and use in rules, but you can also create custom threshold properties.

  1. Go to Admin > Device Support.
  2. Click the Custom Properties
  3. Click Add.
  4. Enter a Name and Display Name for the new threshold property.
  5. Enter the Default Value for the threshold.
  6. Select the Type of threshold value.

For most global threshold values you will select Double. For Map thresholds, which apply to disks and interfaces, select the Item Type fo r the threshold value, and then select the Component Type to which it applies.

  1. Click Save.
Defining Per-Device Threshold Properties
  1. Go to CDMB > Devices.
  2. Select a device.
  3. In the Device Details pane, click Edit.
  4. Click the Properties
  5. For any of the threshold properties, enter a value.

If you want to edit a Map property, click Edit next to the property name, and then enter the value. If that device does not have any components to which that property could apply, you will see an error message.

  1. Click OK.
Using the DeviceToCMDBAttr Function in a Rule

Using the example of the Server CPU Critical rule, you would use the DeviceToCMDB function to set a threshold for the aggregation conditions of the rule in this way:

  1. In the sub pattern of the rule, under Aggregation Conditions, click the expression builder icon next to the Attribute
  2. In the expression builder, under Add Function, select AVG.
  3. In the Add Event Attribute field, select CPU Utilization.
  4. Click OK.

The expression builder will close, and you will see the function and event attribute you selected listed as the Attribute for the Aggregate Conditions.

  1. For Operator, select =.
  2. Click the expression builder icon next to the Value
  3. In the Add Function menu, select DeviceToCMDBAttr.
  4. In the Select Function Pattern dialog, select DeviceToCMDBAttr(EventAttr,CMDBAttr).
  5. Under Add Event Attribute, select Host IP.
  6. Under Add CMDB Attribute, select Server CPU Util Critical Threshold.
  7. Click OK.
  8. Click Save.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.