FortiSIEM Structured Search Operators

Leave a reply
Structured Search Operators
Operator Meaning Allowed on

Event Attribute

Types or CMDB

Group

 Example as seen in GUI
=, != Compares whether an attribute is exactly identical or not identical to a specified value All except DATE types Event Type = “PH_DEV_MON_SYS_CPU_UTIL”

Source IP != 10.1.1.1
>, >=, <, <= Compares whether an attribute is less or greater than a specified value Numeric types:

UINT16, UINT32,

UINT64, DOUBLE

 CPU Util > 10
IN, NOT IN Determines whether an attribute belongs or does not belong to a set of values. For string valued attributes, the match is case insensitive. All except DATE type

Allows CMDB

Groups

 System Event Category IN (3,6)

Event Type IN

(“PH_DEV_MON_SYS_CPU_UTIL”,”PH_DEV_MON_SYS_MEM_UTIL”)

Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,Event Types:Login

Failure)

Source IP IN Devices:Windows, Devices:Unix

Destination IP IN Networks:VPN Pool
BETWEEN,

NOT

BETWEEN

 Determines whether an attribute is between a range of values All except STRING types Source IP BETWEEN (10.1.1.1, 10.1.1.255)

CPU Util BETWEEN (20.0, 30.0)

Event Receive Time BETWEEN (18:35 03/17/2014, 18:35 03/26/2014)
IS (NULL),

IS NOT

(NULL)

 Determines whether an attribute is present or not All types Host Name IS NOT NULL
CONTAINS,

NOT

CONTAINS

 Determines whether a string valued attribute contains a specified sub-string.

For Raw Event Log – the sub-string has to contain the beginning of every word For all other string type attributes: the sub-string can be in any  position

 STRING Event Type CONTAINS “DEV_MON” matches “PH_DEV_MON_CPU”

Event Type NOT CONTAINS “DEV_MON” does not matche “PH_DEV_MON_CPU”

Reporting Model CONTAINS “dows” matches “Microsoft Windows”

Reporting Model CONTAINS “soft win” matches “Microsoft Windows”

Raw Event Log CONTAINS “dows” does not match “Microsoft Windows”

Raw Event Log CONTAINS “microsoft win” matches “Microsoft Windows 2003”

(For more general patterns use regular expressions)
REGEXP,

NOT

REGEXP

 Determines whether a string valued attribute matches a specified pattern. Raw message needs to be UTF-8 encoded. STRING Raw Event Log REGEXP “\d+.\d+\d+.\d+”

Event Type NOT REGEXP “PH_DEV_MON_.*” – match events with event types not beginning with PH_DEV_MON
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.