FortiSIEM Testing a Rule

Testing a Rule

After you’ve created or a edited a rule, you should test it to see if behave as expected before you activate it. This topic describes how to test a rule using synthetic events.

Procedure

Test Results

Test Example

Troubleshooting for Rule Testing

Rule Syntax Error

Rule Semantics Error

Event Parsing Error

Procedure

  1. Go to Analytics > Rules, and deactivate the rule you want to test.
  2. Select the rule, and then click Test Rule.

This will open the Rule Debugger.

  1. Enter a Reporting IP where the synthetic event should originate from.
  2. Under Raw Event, enter the raw event log text that contains the triggering conditions for the rule.
  3. Under Pause, enter the number of seconds before the next test event will be sent, and then click + under Action to enter additional test events.

You will need to create as many events as are necessary to trigger the rule conditions.

  1. Click Run Test.

If the test succeeds you are now ready to activate the rule.

Test Results

The test will run through a four stage process, which you can observe in the Test Results tab of the rule. A yellow icon will also appear in the Stat us column for the rule to indicate that the test is running.

  1. Rules are checked for syntax errors.
  2. Events are parsed and sent to Rule Workers.

If there are errors in the rule syntax or event parsing errors, see the examples under Troubleshooting for Rule Testing for suggestions on how to correct them. As events are being parsed, you can view their Event Details by clicking on the Raw Event Log icon next to the event.

  1. Rule Worker nodes evaluate the events against the rule conditions, and if they match, they are sent to the Rule Master.
  2. The Rule Master creates incidents, which then appear in the Incidents dashboards.

When the test successfully completes, a green icon will appear in the Status column next to the rule name.

Test Example

This screenshot shows the example of a test for the rule Multiple Admin Login Failures: Net Devices. The conditions for this rule are that the the Reporting IP must belong to a network device, and there must be 3 login failure events from the same IP and user.

Troubleshooting for Rule Testing

If the test fails, a red icon will appear under the Status column next to the rule name, and you will see the error message in the Test Results tab for the rule.

Rule Syntax Error

 

Rule Semantics Error

This means that the conditions of the rule were not met by the event. For example, if five events were required to meet the condition, but only one was sent.

Event Parsing Error

This means that some text in the raw event log did not pass the event parser. For example, if “denied” is the term expected by the parser in the test example, but the raw event log contains the term “deny,” then the event will not pass the parser.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.