Converting an Historical Search to a Rule

Example

Procedure

Example

While using historical search, you may observe a pattern that you want to use as a rule so if the pattern recurs, it will trigger an alert. For example, in an historical search you may notice excessive traffic going outside your country or the countries you do business with. You can generate a rule to watch for this traffic pattern from within the historical search.

These screenshots show the conditions and results for the example of an historical search for excessive outgoing traffic.

Following this example, you may now want to create a rule that will send you an alert when a particular source sends more than 1000 connections, or more that 5MB of traffic, in five minutes.

Procedure

1. In the historical search that you want to use as the basis for your rule, click Create Rule.

The Rule Editor will load, with most information for the rule auto-populated from the search. You can also read the topics under Rules for more information about creating rules.

2. Enter a Rule Name and Description.
3. Set the Severity to associate with incidents generated by this rule.
4. Set the Incident Category to associate with incidents generated by this rule.
5. Set the number of seconds for the Time Window that this rule should apply to.

In the example of excessive outgoing traffic over a five minute period, this would be set to 300.

6. Under the Conditions, click the Edit icon for Filter_1.

You will see that all your filter conditions for the search have been populated into this sub pattern.

7. You can now edit the Filter and Aggregate conditions for your original search, or change the Group By conditions.
8. Click Save when you’re done editing the rule.

This screenshot show editing the rule sub pattern Filter_1 from the original rule conditions, with the Aggregate Conditions for COUNT(Matched Events) and SUM(Total Bytes) to 1000 and 5242880 to match the new alert conditions from the example historical search, and the AND operato r changed to OR.

 

Converting an Historical Search to a Real Time Search

In the course of running an historical search, you may produce results that you want to examine in real time. For example, suppose that an historical search shows that yesterday there was an excessive amount of outgoing traffic from your home country or countries that you do business with. You may want to know if this same traffic pattern is happening right now, in real time. You can answer this question from within the same historical search that raised your suspicions.

1. In the historical search window, click Real Time Search.

The historical search criteria are loaded into a Real Time Search window and begin to execute.

2. You can now refine your Real Time Search results to reflect your current interest, for example by adding a Destination County attribute to the display results and running the search again.

Overview of Historical Search Results and Charts

When your search runs, you will see both a Results List in the bottom pane of the screen, and a chart in the middle pane. The types of charts that are displayed depend both on the data being analyzed, and whether or not you have specified any Group By conditions in your search. You can also add dimensions to your search results and change the chart display type for further analysis.

Non-Aggregated Search Results

Trend

Results List

Aggregated Search Results

Results List

Trend

Pie Chart

Bar Chart

Scatter Plot

Bubble Plot

Tree Map

Heat Map

Non-Aggregated Search Results

Non-aggregated searches are searches that don’t use any Group By conditions to process the results. These types of searches produce two views of the results:

View	Description	Screen Example	Notes
Trend	Shows the trend over time for search results
Results List	Shows the results of the search based on the Search Display fields you selected

Aggregated Search Results

Aggregated searches are those that use a Group By condition to process the results.

View	Description	Screen Example	Notes
Results List	Shows the results of the search based on the Group By and Display fields you selected		This example shows the search results for Top Event Types by Count Filter Condition: Empty Group By Condition: Event Type Selected Display Fields: Event Type and COUNT(Matched Events)
Trend	Shows the time trend of aggregated fields (one at a time)		There are two trend views of results for aggregated searches, the line chart, shown here as the first chart, and the stack chart, shown as the second chart. In this example, the line chart illustrates when the events occurred. The stacked display avoids line crossings, but the values have to be read off as the height and not the absolute value. For example, the event count for PIX-302015 at 9:00 hours is 20,000-14000 = 6000.
Pie Chart	Shows the proportion for the COUNT(Matched Events) attribute		For any set of results where you are charting Count (Matched Events), click the Pie Chart icon to view a proportional representation of the results.

 

Bar Chart	Shows the distribution of aggregated fields		For any set of results where you are charting Count (Matched Events), click the Bar Chart icon to view the distribution of events for your results.
Scatter Plot	Shows the correlation between two aggregated fields		Scatter plots can show the correlation between two aggregated dimensions, effectively converting a one dimensional chart into a two dimensional one. In this case, a report is run with these parameters: Filter Condition: Event Types PH_DEV_MON_SYS_CPU_UTIL and PH_D EV_MON_SYS_MEM_UTIL Group By attribut: Host Name Display Fields: AVG(CPU Utilization) and AVG(Memory Utilization) The results are first presented as a stacked trend and bar chart. When you click on the Scatter Plot Chart icon, you can now see the display fields as two dimensions, which shows that most devices use more memory than CPU. Hovering your mouse cursor over an item in the chart displays the values for the selected host.
Bubble Plot	Shows the correlation between two aggregated fields with a third dimension as size		A bubble pot is a scatter plot with a third dimension field added to indicate size. In this example, the same type of search that was used to generate the scatter plot example is run, though the display field Last (System Uptime) ha s been added as a Size indicator.
Tree Map	A hierarchical tree-structured visualization that can be used to analyze dominating components of multidimensional data		A tree map is a hierarchical tree-structured visualization that you can use to analyze dominant components of multi-dimensional data. A classic example is an attempt to understand Top Talkers in a network. In this example, a search is run with these parameters: Filter Conditions: Group:Permit Traffic Group by attributes: Destination TCP/UDP Port, Destination IP, Source IP Display Fields: Destination TCP/UDP Port, Destination IP, Source IP, COUNT(Matched Events) The results, which run to 400 pages with approximately 10,000 entries, do not provide any information about: The proportion of the Top Destination Port The proportion of Top Source IPs for a given Destination Port The proportion of Top Destination IPs for a given Destination Port and Source IP By switching to a Tree chart, you can now see: Top ports are 161 (SNMP) and 53 (DNS) – with SNMP taking roughly 1.5 times the connections The top destinations for DNS are: 192.168.0.10 (Internal DNS) 208.67.222.222 (External DNS) The top sources going to 192.168.0.10 on the DNS port are 192.168.20.116, 192.168.65.125 The top sources going to 208.67.222.222 on DNS port are 192.168.0.10 You can now drill down on port 53 for a closer view by clicking 53.00 in the tree map, which results in the third screenshot in this example.

 

 

Heat Map

visualizes calculated measures in two dimensions using a color grade that helps users to understand intensity

A heat map visualizes two display fields using a color gradient that indicates intensity. A classic example is an attempt to understand which host is talking on which network port. In this example, a search is run with these parameters: Filter Conditions: Group:Permit Traffic Group By attributes: Destination TCP/UDP Port, Source IP Display Fields: Destination TCP/UDP Port, Source IP, COUNT(Matched Events) The first screenshot shows the results as a stacked trend chart. The second shows the results as a heat map with the Sample set to 1000. You can now hover your mouse cursor over indicators of higher intensity to view specific information. In this case 192.168.0.10, which appears as a small red bar in the lower left corner, is a heavy contributor to traffic on Port 53. In addition, vertica l lines indicate multiple hosts communicating on the same port, for example ports 22, 53, 80, 443, while horizontal lines indicate same host talking across multiple ports.

 

 

Refining the Results from Historical Search

Overview of Historical Search Results and Charts describes the charts that you can use to visualize historical search results, but there are also a variety of methods you can use to drill down into search results and refine your queries.

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches Using Tabs to View Multiple Search Results

Charting a Specific Row from Historical Search Results

When your chart loads, the top five items are displayed as color-coded stack charts, as show in the example of this screenshot. However, you may want to remove results from the chart to get a clearer view of what is happening with a specific result. Here, for example, there are spikes for 192.168.19.65 that are clearly visible at various intervals, but the chart results for the other IPs obscure much of what is happening with this source IP.

The solution is to remove the other Source IPs from the chart. In the Chart column of the Results List, click on the items you want to remove from or add to the chart. In this example, all four of the other IPs have been removed from the chart to obtain a clearer visualization of the activity for 192.168.19.65.

 

 

 

 

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

When you run a query, the resulting chart typically displays the first aggregated attribute in the Results List. However, if there are other aggregated attribute values in the search results, you can add those to the chart as a second dimension.

This screenshot shows the results for the report Top Router Network Intf By Util, Error, Discards, which includes the values for a single aggregated attribute, AVG(In Intf Util), for incoming interface utilization.

In this case, it could also be informative to understand more about the outbound interface utilization. In the second Chart For menu, AVG(Out Intf Util) is selected, and this is added as a second dimension to the chart beneath the 0 line, as shown in this screenshot.

 

Drilling Down on Search Results by Time Interval

When you run a search, the chart displays results for the time interval you set in your original query. However, you can also drill down to 5 minute, 10 second, and 1 second time intervals for a closer inspection of the results.

1. Hover your mouse cursor over the result and time interval you want to drill down on until the information pop-up appears, as shown in the first example screenshot.
2. Click to drill down and view the results for a 5 minute interval.
3. Follow the same process to drill down to the 10 second and one second intervals.

This series of screenshots illustrates starting from the original search results, and then drilling down to the 5 minute interval.

 

 

 

 

 

 

 

Using Search Results to Refine Historical Searches

In this screenshot of search results you can see a small but sudden spike in the SUM(Total Bytes) for Destination TCP/UDP Port 20756, which is represented by the color purple in the chart. In order to understand what is happening in this time interval, you can select this port and the time period of interest, and use these as filter criteria for a deeper investigation.

 

1. In the Results List, select the row containing the item of interest.
2. Click the Filter menu, and you will see the attributes of the selected item as filter options.
3. Select the attribute you want to use for your filter.

In this case, you would select Destination TCP/UDP Port = 20756.

Adding a Specific Attribute Value to a Filter

You can also click in the cell of the Results List that contains the attribute value you want to use in your filter, and then select Add to Filter from the pop-up menu that appears when you hover your mouse cursor over the attribute value.

4. In the Show menu select Raw Messages.

This will include the raw event logs in the Incident Details.

5. In the Display Fields menu, add or remove any display fields you want for the refined search results.

In this case two fields are added, Destination TCP/UDP Port and Total Bytes.

6. In the chart, click on the time period that is of interest to add it to the search criteria.
7. Click Run.

This screenshot shows the results for the selected port and time period, indicating that two events originating from Seattle WA were responsible for the spike.

 

8. Click in the Raw Event Log column for an event to view the event details.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on how to view the attributes for reported events and add them to the display fields for your results.

Using Tabs to View Multiple Search Results

There may be occasions when you want to be able to run and compare the results of multiple searches.

1. Run your first search.
2. In the upper-left corner of the search screen, click +. A new tab will open up in the Analytics Window.
3. Run your second search in the new tab.

New Tabs for Drill-Down and Refined Searches

If you refine an existing search, zoom in on a time period, or use the time interval drill-down to examine search results, new tabs are automatically generated for each level of drill down, and for each refined search.  When you select an attribute to use in a refined search, you can also select Add to Filter in New Tab from the Options menu.

 

Creating a Structured Historical Search

Prequisites

Procedure

Prequisites

If you need to familiarize yourself with how historical search works or the historical search interface, you should read these topics:

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Structured Search Operators

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Structured.

The Conditions and Group By search window will open.

4. Click the downward arrow in the search window to open the Conditions and Group By

Alternatively you can click … to use a saved Filter Criteria Set.

5. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

6. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

7. Under Group By, set the event attributes that you want to use to group the results, as described in Example of How a Structured Historical Search is Processed.
8. Click OK.

You can also click Save as Filter Criteria Set, and these conditions and group by attributes will be available for future historical searches by clicking … next to the search window.

9. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

10. For multi-tenant deployments, select the Organization you want to run the search against.
11. For Time, set the interval over which you want the search to run.
12. Click Run.

The results of your search will appear in the chart and results list.

Using System-Defined Reports for Historical Search

FortiSIEM includes a number of pre-defined reports that you can use as the basis for historical searches.

Viewing Available Reports

Using System-Defined Reports in Historical Searches

Viewing Available Reports

1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. Select a report group in the navigation pane, and then a report.

Each report includes four information tabs:

Tab	Description
Summary	Includes name, description, and all the criteria used in constructing the historical search for the report
Schedule	Any scheduled runs for the report. See Scheduling Reports for more information.
Results	Any saved results from running the report
Defintion	The XML definition of the report

Using System-Defined Reports in Historical Searches

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. Click Load Report.
4. Select the report you want to use, and then click OK.
5. Follow the same steps that you would for Creating a Structured Historical Search.

Creating a Simple Historical Search

Prequisites

Procedure

Prequisites

If you need to familiarize yourself with how historical search works or the historical search interface, you should read these topics:

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Structured Search Operators

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs.

See Keywords and Operators for Simple Searches for information on keyword searching.

5. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules and Creating Filter Criteria and Display Column Sets for options for selecting display field attributes and sets.

6. For Time, set the interval over which you want the search to run.
7. For multi-tenant deployments, select the Organization you want to run the search against.
8. Click Run.

The results of your search will be displayed in the chart and search results list.

 

 

Analytics

FortiSIEM Analytics has three components:

Search

FortiSIEM search functionality includes real time and and historical search of information that has been collected from your IT infrastructure. With real time search, you can see events as they happen, while historical search is based on information stored in the event database. Both types of search include simple keyword searching, and structured searches that let you search based on specific event attributes and values, and then group the results by attributes.

Rules

Because FortiSIEM is continuously monitoring your IT infrastructure, you can also set rules so that when specific conditions are met, it triggers an incident, and, in some cases, sends a notification.

Reports

Reports are pre-defined search queries. FortiSIEM includes a large catalog of reports for common devices and IT analysis tasks that you can use and customize, and you can also save searches that you’ve run as reports to use again later.

Adding a Watch List to a Rule

Cloning a Rule

Running Historical Searches to Test Rule Sub Patterns

Setting Rules for Event Dropping

Setting Rules for Event Forwarding

Setting Global and Per-Device Threshold Properties

Using Geolocation Attributes in Rules

Using Watch Lists as Conditions in Rules and Reports Viewing Rules

Reports

Baseline Reports

System-Defined Baseline Reports

Creating a Report or Baseline Report

Identity and Location Report

Report Bundles

Creating a Report Bundle

Running a Report Bundle

Running System and User-Defined Reports and Baseline Reports

Scheduling Reports

Viewing Available Reports

Audit

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

Visual Analytics

AccelOps Visual Analytics Architecture

Installation and Configuration of AccelOps Visual Analytics

Requirements for Visual Analytics Report Server

Setting Up Visual Analytics

Hypervisor Installations for Report Server

Installing and Registering AccelOps Report Server in Amazon Web Services

Installing and Registering AccelOps Report Server in KVM

Installing and Registering AccelOps Report Server in Microsoft Hyper-V

Installing and Registering AccelOps Report Server in VMware ESX Syncing with the Report Server

Working with the Report Server

Report Server Architecture: phoenixdb and reportdb

Working with CMDB Data in AccelOps Report Server

Viewing phoenixdb Organization

Querying Incident Data in AccelOps Report Server

Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Working with Event Data in AccelOps Report Server

Viewing reportdb Organization

Syncing an AccelOps Report with Report Server

Deleting a Report from AccelOps Report Server

Modifying an Existing Report in AccelOps Report Server

Installing and Configuring Tableau Server

Creating and Managing Workbooks

Viewing Workbooks

Creating and Publishing Workbooks

Creating a Single Sheet Workbook

Creating a Multiple Sheet Workbook

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server Adding Users to Workbooks

Real Time Performance Probe

 

Search

Historical and Real Time search is the core functionality of FortiSIEM analytics, enabling you to analyze, report on, and further improve your IT infrastructure.

Historical Search

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search

Converting an Historical Search to a Rule

Real Time Search

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

Structured Search Operators

Selecting Attributes for Structured Searches, Display Fields, and Rules

Using Expressions in Structured Searches and Rules

Keywords and Operators for Simple Searches

Using Geolocation Attributes in Searches and Search Results Creating Filter Criteria and Display Column Sets

Historical Search

With the Historical Search feature, you can go back in time and retrieve events from the event database. By using either a simple keyword-based search or a more detailed structured search, you can get quick and valuable insights into events that have occurred over any selected time period.

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search Converting an Historical Search to a Rule

Overview of the Historical Search User Interface

You can run two types of historical searches on FortiSIEM data: simple searches, in which you use a keyword search, and structured searches, in which you can specify search conditions and how the results should be grouped.

Simple Historical Search

Simple Historical Search User Interface Controls Structured Historical Search

Simple Historical Search

When you use simple historical search, you enter a keyword to search for in the logs collected by FortiSIEM, specify any filter criteria, and then run the search, which will produce a chart and a list of results matching your search criteria. You can then use additional user interface controls to change the chart display, filter or find more information about events in the result list, and export or share results.

This screenshot shows the results of simple search using the keyword TCP.

Simple Historical Search User Interface Controls

UI Control	Description
Search Criteria	For simple historical search, use the search box to find keywords in raw event logs. You can also load an existing historical search report to use for your search criteria, or create a rule from your search results.
List Display Columns	Select which columns will be displayed in the search results
Filters	Set the time interval over which you want to search, and, for multi-tenant deployments, which organization’s logs you want to search
Report Management	Save Saves the report to Generated Reports where it will be retained for the time period you specify. You can also select whether you want the search criteria to be saved as a report that you can use in the future. Export Export the report, with the option of including the chart, as a PDF or CSV file Email Email the report as a CSV or PDF file, with the option of including the chart Copy to a new tab Load the search into a new tab within FortiSIEM
Chart Displa y	You can set both the data you want to display, and how it should be displayed. See Overview of Historical Search Results and Charts for more about the different chart types.
Event Filter	Select an event from the results, and add its attributes to structured search conditions.
Event Information	Select an event, and view Quick Info about it, or view Location information about it such as source or destination IPs.

Structured Historical Search

With historical structured search, you can enter conditions for your search based on event attributes, and set which attributes will be used to group the search results in a way that is similar to the use of the of the Group By command in SQL

This screenshot shows a structured historical search for All Non-Reporting Modules selected from the system Reports > Event Status. The screenshot below it shows a close-up of the the Conditions and Group By options dialog. See Creating a Structured Historical Search and Struc tured Search Operators for more information about these options.

Example of How a Structured Historical Search is Processed

When you run a structured historical search, all events within the specified time window are examined and added to the result set following these steps:

1. The system fetches the next event within the search time window and applies the filtering criteria. If the event does not pass the filtering criteria, the system fetches the next event.
2. If the event passes the filtering criteria, the system then compares the attributes of this event against the other entries in the result set. If the current event contains an attribute that is included in the Group By attribute set, then the results for that attribute are updated. Otherwise, a new entry is created in the result set.
3. After all the events in the search time window are processed, the system sorts the results to produce the final result set.

As an example, consider these events in the event database, and running a search for Top Firewall Recorded Conversations Ranked By Total Connections (Descending) and Total Bytes (descending) over them.

Event id	Time	Reporting Device	Source IP	Destination IP	Protocol		Source Port	Destination Port	Total Bytes
1	1/1/2010	10.1.1.1	192.168.1.1	192.168.10.4	TCP		2033	80	1024
2	1/2/2010	10.1.1.1	192.168.1.2	192.168.10.4	TCP		3000	443	4096
3	1/3/2010	10.1.1.1	192.168.1.1	192.168.10.4	TCP		2034	80	1024
4	1/4/2010	10.1.1.1	192.168.1.2	192.168.10.5	TCP		3001	443	2048
5	1/4/2010	10.1.1.1	192.168.1.1	192.168.10.4	TCP		2035	80	1024
6	1/5/2010	10.1.1.1	192.168.1.2	192.168.10.6	TCP		3002	443	2048
7	1/5/2010	10.1.1.2	192.168.1.1	192.168.10.4	TCP		9000	80	1024
Search						Search Criteria
Top Firewall Recorded Conversations Ranked By Total Connections (Descending) and Total Bytes (descending)						Filtering criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic Group-By attributes: Source IP, Destination IP, IP Protocol, Destination Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port, SUM(Matched Events) DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10

Result

Source IP	Destination IP	Protocol	Destination Port	COUNT (Matched Events)	SUM(Total Bytes)
192.1.1.1	202.1.1.4	TCP	80	3	3072
192.1.1.2	202.1.1.4	TCP	80	1	4096
192.1.1.2	202.1.1.5	TCP	443	1	2048
192.1.1.2	202.1.1.6	TCP	443	1	2048

You could then run another search over these results:

Search	Search Criteria
Top Destination IPs Ranked By Total Connections (Descending) and Total Bytes (descending)	Filtering criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic Group-By attributes: Destination IP Display attributes: Destination IP, SUM(Matched Events) DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10

Result

Destination IP	COUNT (Matched Events)	SUM(Total Bytes)
202.1.1.4	4	7 KB
202.1.1.5	1	2 KB
202.1.1.6	1	2KB

Sample Historical Searches

Sample Filter Criteria

Sample Structured Searches

Sample Filter Criteria

Filter criteria	Type	Meaning
Raw Event Log CONTAINS “login AND failed”	Simple (keyword) search	Only events that contain both the keywords “logon” and “failed” are part of report
Raw Event Log CONTAINS “denied”	Simple (keyword) search	Only events that contain the keyword “denied” are part of report
Reporting Device IP = 10.1.1.1	Structured search	Only events from the device that is reporting with IP address 10.1.1.1 are part of the report
Reporting Device IP IN Firewall	Structured search	Only events from firewall devices in CMDB are part of the report
Reporting Device IP IN Firewall AND Event Type IN Deny Traffic	Structured search	Only firewall deny events from firewall devices in CMDB are part of the report
Reporting Device IP IN Firewall AND Event Type IN Deny Traffic AND (Source IP = 192.1.1.1 OR Dest IP = 192.1.1.1)	Structured search	Denied traffic from 192.1.1.1 or to 192.1.1.1 reported by firewall devices in CMDB are part of the report
Reporting Device IP IN Domain Controller AND Event Type IN User/Group Change AND user NOT IN Domain Admins	Structured search	Domain Controller User/Group Changes not performed by users in the Domain Admin group
Raw Event Log REGEXP “faddr\s+\d+.\d+\d+\d+”	Structured search	Only events that contains strings like “faddr 10.1.1.1”, “faddr 192.168.29.1” are included in the report.

Sample Structured Searches

The following examples illustrate how to write a search using the AccelOps GUI.

Search	Specification in AccelOps GUI
Top Reporting Firewalls ranked by event count in the last hour	Filter Criteria: Reporting Device IP IN Firewall Group By attributes: Reporting Device IP Display attributes: Reporting IP, COUNT(Matched Events) DESC Query window: 1 hour
Top Reporting Firewalls and Event Types ranked by event count in the last hour	Filte Criteria: Reporting Device IP IN Firewall Group By attributes: Reporting Device IP, Event Type Display attributes: Reporting IP, Event Type, Severity, COUNT(Matched Events) DESC Query window: 1 hour
Top Firewall Denied Source IPs ranked by the total number of attempts in the last hour	Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Deny Traffic Group By attributes: Source IP Display attributes: Source IP, COUNT(Matched Events) DESC Query window: 1 hour
Top Firewall Recorded Conversations Ranked By Sent Bytes (descending), Received Bytes (descending)	Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic Group By attributes: Source IP, Destination IP, IP Protocol, Destination Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port, SUM(Sent Bytes) DESC, SUM(Received Bytes) DESC Query window: 1 hour

 

All unauthorized domain user/group changes in the last week

Filter Criteria: Reporting Device IP IN Domain Controller AND Event Type IN User/Group Change  AND user NOT IN Domain Admins Group By attributes: none Display attributes: Time, event type, user, computer, domain, target user, target domain Query window: 1 week

 

 

Importing and Export Widget Dashboards

Importing widget dashboards

Widget Dashboards can be imported from another FortiSIEM installation or from another dashboard folder of the same installation. If the two FortiSIEM versions do not have the same version, then the charts may look different because the data definition may be different.

1. Make sure you are viewing the dashboard
2. Click Import
3. Select the file from local desktop. It must an XML file suitable for import. Typically this is exported from another FortiSIEM system.
4. Click Import.
5. The dashboard will display

Exporting widget dashboards

1. Make sure you are viewing the dashboard

Click Export

Dashboards – HTML5 version

FortiSIEM includes two types of dashboards:

Summary dashboards that shows multiple metrics for the device in a single line. This enables users to see multiple metrics of the same device in one view.

Widget dashboards that provide separate views of each metric. This enables to see critical devices for a metric at a time.

Multiple dashboards can be grouped into a folder. User first needs to choose the dashboard folder and then select the dashboard within that folder.

Viewing System Dashboards

FortiSIEM provides several built-in dashboard folders covering many functional areas:

Infrastructure level

Network Dashboard

Server Dashboard

VMWare Dashboard

Web Server Dashboard

Application Server dashboard

Cloud Infrastructure level

Amazon Web Services Dashboard

Security Dashboard

Storage level

NetApp Dashboard

VNX Dashboard

Application level

Salesforce Dashboard

Office 365 Dashboard

Google Apps Dashboard

FortiSIEM Dashboard

To view these dashboards

1. Logon to FortiSIEM
2. Switch to the right organization (for Service Provider version)
3. Click Dashboard tab on the main user interface
4. Select the appropriate dashboard folder from the drop down. The dashboards belonging to the selected folder will show and the contents of the first dashboard will display automatically.
5. Select the appropriate dashboard to see its contents.

Creating New Dashboards

Creating a new dashboard folder

Creating a new dashboard within a folder

Adding reports to a widget dashboard

Adding devices to a summary dashboard

Make sure that you are logged on to the right organization (for Service Provider version).

Creating a new dashboard folder

1. Click on the dashboard folder menu and Select
2. Enter the name of the new dashboard folder
3. The new dashboard will show

Creating a new dashboard within a folder

1. Click on the icon on the top bar
2. Enter the following information
   1. Name – the name of the dashboard
   2. Type – Widget or Summary dashboard
   3. Description
3. Click Save

Adding reports to a widget dashboard

1. Click on the icon on the left under the dashboard name
2. Select the report and it will highlight
3. Drag the report to the dashboard and the results will show 4. To customize the chart settings, see here.

To add a CMDB Report, simply add from the CMDB Report folder in Step 2.

Adding devices to a summary dashboard

1. Click on the icon on the top menu bar
2. Select the device(s) and move them to the right pane by clicking the button
3. Click OK
4. To customize the columns, see here

Deleting Dashboards

Note that built-in dashboard folders and dashboards can not be deleted.

Deleting user defined dashboards

1. Click on the button next to the dashboard
2. Click OK

Deleting user defined dashboard folders

1. Click on the button next to the dashboard folder 2.  Click OK

Modifying Dashboards

Modifying widget display

1. Select a widget and click on the Settings button
2. Customize the fields as appropriate
   1. Title – the chart name that displays at the top
   2. Display – select chart type from the possible options
   3. Width – the size of the chart in horizontal dimension – note that this is relative
   4. Height – the size of the chart in vertical dimension – note that this is relative
   5. Refresh interval – how often the chart’s content will refresh
   6. Result Limit – number of rows in the result
3. Click OK.

Adding reports to a widget dashboard

1. Click on the icon on the left under the dashboard name 2.  Select the report and it will highlight.
2. Drag the report to the dashboard and the results will show 4. To customize the chart settings, see here.

If you want to add a new report or modify a system report, then follow these steps

1. Create the report in Analytics
2. Then report will show up in the list of reports in Step 2 above.

Modifying widget dashboard layout

There are two possibilities – Tile layout (default) or column layout.

1. To select Tile layout, select Tile option from the menu next to on top. Tile layout allows you to place widgets of several sizes on the dashboard.
2. To select a column layout, choose the number of columns from the menu next to .

Adding, removing and re-ordering columns on a summary dashboard

1. Select the button the top.
2. To remove one or more columns from display, select them in the Selected Columns and then move them to the left by clicking the

button.

3. To add one or more columns to the display:
4. Select an Event Type in the left most column. The corresponding metrics from that event type will show. b. Select one or more columns in the middle column
5. Move them to the right by clicking the button 4.  To change the position of the columns 5.  Click OK to save the changes.

Sharing Dashboards

The following sharing rules are enforced

User created dashboard folders and its contents are only visible to the user who created it. If this folder need to be visible to other users, then we recommend using a shared account or

using export/import mechanism to create the folder for that user

System dashboard folders are owned by FortiSIEM. Any changes to those dashboards may be lost during upgrade, if FortiSIEM also decides to change those dashboards.