Analyze incident "FortiSIEM: Too Many Unknown Events"

Hello,

how can we find out from which log source are the events that can not be parsed?

This is not clear from the Incident or RAW log, it only says the collector. Any ideas? Thanks in advance!

Greetings
Martin

Staff

I would suggest the easiest way would be to create an Analytic search...

Condition: Event Type = Unknown_EventType. (or simply Event Type CONTAIN Unknown_)

Group By: Reporting IP & Count (Matched Events)

This will display which host is reporting the most Unknown Events and then you can pivot from there to view the raw messages if required.

Sign up