FortiSIEM Viewing and Searching Incidents

Viewing and Searching Incidents

The Incident Dashboard displays incident information for your IT infrastructure based on the filter conditions you set. You can also view incidents grouped by incident attributes, use values in incident attributes to refine your searches, view information about rules that triggered incidents, and use incident information to create rule exceptions and event dropping rules.

List View of Incidents

Searching for Incidents by Incident Attributes

Using Group By Attributes to View Incidents

Device Risk View of Incidents

Calendar View of Incidents

Fishbone View of Incidents

List View of Incidents

There are two ways you can view the incidents that are occurring in your IT infrastructure.

The Incidents tab, shown in the screenshot for this topic, where you can view incidents and incident details

Dashboard > Incident Dashboard, which includes the same incident summary and user interface controls found in the Incidents tab, but which also provides other views of incidents, including a fishbone view of incidents in your infrastructure, a topology view with the number and severity of incidents overlaid on devices, a calendar view, and a location view that includes both a summary view of incident source and target IP locations and a map view, along with the number and severity of incidents for that location overlaid on the map.

In both locations you can filter the incidents in the dashboard, find out more information about sources and targets of incidents, customize the dashboard layout, and manage the rules associated with incidents.

Incident Attributes

Incident Dashboard User Interface Controls

Incident Dashboard Filter Controls

Incident Management Controls

Contextual Menus

Incident Details

Incident Details

Triggered Events

Related Incidents

Incident Attributes

An Incident has the following attributes.

Attribute Name Description
Event Severity Category The severity of the incident, High, Medium, or Low
Last Seen Time The last time that the incident was triggered
First Seen Time The first time that the incident was triggered
Incident Name The name of the rule that triggered the incident
Incident ID The unique ID assigned to the incident
Incident Source The source IP or host name that triggered the incident
Incident Target The IP or host name where the incident occurred
Incident Detail Event attributes that triggered the incident
Status The status of the incident, Active, Cleared, Cleared Manually, System Cleared
Cleared Reason For manually cleared incidents, this displays the reason the incident was cleared
Cleared Time The time an incident was cleared
Cleared User The person who cleared the incident
Comments Any comments that users have entered for the incident
Ticket Status Status of any tickets associated with the incident
Ticket ID The ID number of any tickets generated by the incident
Ticket User The person assigned to any tickets generated by the event
External User If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to
External Cleared Time If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared
External Resolved Time If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved
External Ticket ID The ID of the incident in an external ticket-handling system
External Ticket State The state of the incident ticket in an external ticket-handling system
External Ticket Type The type assigned to the incident ticket in an external ticket-handling system
Organization The organization reporting the event
Impacts Organizations impacted by the event
Business Service Business services impacted by the incident
Incident Notification

Status

Status of any notifications that were sent because of the incident
Notification Recipients Who received notification of the incident
Incident Count How many times the incident has occurred during the selected time interval

Incident Dashboard User Interface Controls

This screenshot shows the Incidents tab with the major user interface controls outlined in red.

Incident Dashboard Filter Controls

The filter controls let you control which incidents are shown in the dashboard.

Filter

Control

Description
Filter

Criteria

You have three options for the filter conditions:

ID

Search for an incident by ID

IP

Search for an incident based on an IP address Advanced

Use this option to set filter conditions based on event attributes as described in Creating a Structured Real Time Search. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in search filters.

Group By Use these options to group incidents in the dashboards based on incident attributes. See Using Group By Attributes to View Incidents for more information.
Severity Use these options to only see incidents with the selected severity level
Function Use these options to view incidents related to a specific infrastructure functional area, such as Performance or Security.
Incident

Status

Filter incidents to view according to their status
Ticket

Status

Filter incidents based on the status of their associated tickets. See Creating Tickets In FortiSIEM In-built Ticketing System for more information.
Time

Selection

Select the time interval during which incidents should have occurred. The default is Last 2 Hours.
Organization For multi-tenant deployments, select the organization you want to view incidents for.
Impacts For multi-tenant deployments, select an organization to view the incidents that are impacting it

Incident Management Controls

Filter

Control

Description
Refresh Refresh the dashboard view
Edit Rule Edit the rule associated with the incident. See the topics under Rules for more information.
Exception Create an exception to the rule associated with the incident. See Defining Rule Exceptions for more information.
Ticket Create a ticket from the incident. See Creating Tickets In FortiSIEM In-built Ticketing System for more information.
History View the ticket history associated with an incident.
Clear Clear the incident. See Defining Clear Conditions for more information on how to set rule conditions that will automatically clear incidents. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared. A status of Manual Clear means that a user cleared the incident from the Incident Dashboard, while Clear means it was cleared by a rule condition.
Comments Add comments to the incident
Columns Change the columns displayed in the summary table. Incident Columns describes all the columns that can be added to the Incident Dashboard.
Export Export the incident information to a PDF or CSV file
Locations View geolocation information about the incidents. Pin colors on the map indicate incident severity:

Red: HIGH Severity

Yellow: MEDIUM Severity

Green: LOW Severity

Black: Incidents with multiple severity levels at the same location

Contextual Menus

Clicking on an item within a column of the incident summary will open a contextual menu, with options depending on whether the incident attribute you selected includes an IP address (Source IP or Target IP, for example), or some other kind of incident attribute. Shared between both menus are an Add to Filter option, which enables you to select a result attribute and add it to the Filter By conditions. Both menus also include most of the same options available in the Incident Management controls to edit and add exceptions to rules. The IP address contextual menu provides options to view more information about the associated device, with many of the same options you would find in the Analysis menu used in search summary dashboards.

This screenshot shows the IP contextual menu open after selecting an IP address in the Incident Source column of the Incidents tab.

Incident Details

The Incident Details pane at the bottom of the Incidents Dashboard provides you with information about a selected incident in three areas: Incide nt Details, Triggered Events, and Related Incidents.

Incident Details

The Incident Details include the ID of the incident, specific details about the event that triggered the incident, and the definition of the rule associated with the incident.

Triggered Events

The list of events that triggered the incident. For columns containing an event type, or host or  IP information, click on an item to open a contextual menu and view more information about it.

Related Incidents

Use this menu to view related incidents based on the Source, Target, Rule Name, or Reporting IP associated with the selected incident.

Searching for Incidents by Incident Attributes

As your review incidents in your dashboard, you may want to build searches based on attributes from selected incidents. For example, you may want to use the value for the Incident Target attribute in an incident as a filter condition to find similar or related incidents, and then add more conditions based on the results of that search.

  1. Log in to your Supervisor node.
  2. Go to Incidents.
  3. In the Incident Dashboard, select an incident.
  4. Click on the attribute value for the selected incident that you want to add to the Filter By condition to open the Options menu, and then select Add to Filter.

The type of search will change to Advanced, and the attribute value you selected will be added to the Filter By conditions.

  1. Click in the Filter By Conditions field to open the Conditions Builder and add other incident attributes.
  2. Click Refresh when you’re done creating filter conditions to see the results.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.