FortiSIEM Using Watch Lists as Conditions in Rules and Reports

Using Watch Lists as Conditions in Rules and Reports

You may want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP listed in your DNS Violators watch list will trigger an incident.

  1. Go to the rule or report where you want to use the watch list.
  2. Under Conditions for the report, or under Filters in your rule subpattern, enter the watch list attribute you want to filter for in the Attribut e

For example, Source IP.

  1. For Operator, select IN.
  2. Click next to Value, and use the CMDB Browser to find and select the watch list you want to use.

For example, DNS Violators.

  1. Click Folder >> to select the watch list, and then click OK.
  2. Continue with creating your search criteria or rule sub pattern as you normally would.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.