Skip to main content
pr7
pr7
New Member
October 10, 2024
Question

Event types and tweak rule

  • October 10, 2024
  • 2 replies
  • 1248 views

Hello
I have a rule called "Successful Windows Dormant Account Logon" which works great, but i would need to tweak the number of days it responds to but can't figure out how to change the number of days SIEM acts on since last login (which is detected by LDAP sync).

The rule consists of "Group@PH_SYS_EVENT_HostLogonSuccess,Group@PH_SYS_EVENT_DomainLogonSuccess" and "Group@PH_DYNLIST_DORMANT_USERS" which are Event Types. I don't understand the connection between Event Types and the rule itself which only consists of Event Types which cannot be changed (?).
How can i change the rule containing the attribute "Event Type=Group@PH_SYS_EVENT_HostLogonSuccess,Group@PH_SYS_EVENT_DomainLogonSuccess" to act on more days than 30?
Or less if i want to....?
I can't manage to read up on this somehow.

I would humbly like to get a complete explanation of how Event Types work in SIEM and how the connection is to the rule itself as well as how to change these values. I've copied system rules before and changed the content to suit our environment but now I'm stuck on this.

    2 replies

    premchanderr
    Staff & Editor
    premchanderr
    Staff & Editor
    October 14, 2024

    Hi @pr7 ,

     

    The rule is triggered for users in Group PH_DYNLIST_DORMANT_USERS . 

     

    "PH_DISCOV_ADS_DORMANT_ACCT" is for AD users that are not logged in for more than 30 days. Basically upon discovery users are added into group PH_DYNLIST_DORMANT_USERS .

     

    So when these users get a logon it then matches the pattern and triggers the rule.


    You can analyze the fields from parsed log to see what further tweak can be done. 

     

    Regarding your specific query to act on more or less than 30 days, look for the field [daysSinceLastLogon] and use it in rules accordingly. 

      pr7
      pr7Author
      New Member
      October 15, 2024

      Hi @premchanderr 

      Thanks for the answer!
      However, I cannot for my life figure out how to find daysSinceLastLogon and further manage this via a tweaked rule. I certainly wouldn't say no to some kind of instruction around this.
      Note that I am relatively new to this particular SIEM product and haven't gotten that far yet in my FortiSIEM journey.

      Thank you again for your commitment.

      premchanderr
      Staff & Editor
      premchanderr
      Staff & Editor
      October 17, 2024

      Hi @pr7 ,

      When I run LDAP Discovery I get this field automatically.

      Sample log:
      [user]=,[userFullName]=33e3bf06-98e1-473c-85e6-5495c3e4y52e,[userDN]=CN=33e3bf06-98e1-473c-85e6-5495c3e4y52e,CN=e50bb63a-03b-49fe-ae38-df459e2d34d1,CN=BDWS,CN=Microsoft,CN=Program Data,DC=globalTech,DC=local,[lastLogon]=0,[daysSinceLastLogon]=19420,[phLogDetail]=

      If you aren't receiving it then do review the LDAP DIscovery integration as per document.  Since its specific to your system and involves checking your environment, better to open support ticket for further clarification. 

      Terms & ConditionsAccessibility statement