Skip to main content
IsuruTharanga
IsuruTharanga
Visitor III
May 29, 2020
Question

FortiSIEM - Rule Exceptions not working

  • May 29, 2020
  • 1 reply
  • 1870 views
Hi,

I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

I cloned the rule and set few exception in the Exception Section as follows,



Moreover I have created few lists for easy management as follows,


This is one of those list I have created.

I tried the rule testing feature also but it won't whitelist the domains I excluded.

Since then I tried excluding in rule condition section as follows,


This won't work either. Still triggering the alarms for the whitelisted domains as well.

Following is a sample log that I'm trying to whitelist


Any suggestions on this matter?

Regards,
Isuru

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    June 18, 2020
    Hi Isuru, Sorry for the delay.

    Can you send me that test event? I want to test this out in the lab.

    Looking at the rule, this should work.

    What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.

    Thanks

    Dan-------------------------------------------
    Original Message:
    Sent: May 29, 2020 02:09 AM
    From: Isuru Tharanga
    Subject: FortiSIEM - Rule Exceptions not working

    Hi,

    I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

    I cloned the rule and set few exception in the Exception Section as follows,



    Moreover I have created few lists for easy management as follows,


    This is one of those list I have created.

    I tried the rule testing feature also but it won't whitelist the domains I excluded.

    Since then I tried excluding in rule condition section as follows,


    This won't work either. Still triggering the alarms for the whitelisted domains as well.

    Following is a sample log that I'm trying to whitelist


    Any suggestions on this matter?

    Regards,
    Isuru
    IsuruTharanga
    IsuruTharangaAuthor
    Visitor III
    June 22, 2020
    RAW logs-------------------------------------------
    Original Message:
    Sent: Jun 18, 2020 02:27 AM
    From: Daniel Hanman
    Subject: FortiSIEM - Rule Exceptions not working

    Hi Isuru, Sorry for the delay.

    Can you send me that test event? I want to test this out in the lab.

    Looking at the rule, this should work.

    What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.

    Thanks

    Dan
    Original Message:
    Sent: May 29, 2020 02:09 AM
    From: Isuru Tharanga
    Subject: FortiSIEM - Rule Exceptions not working

    Hi,

    I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

    I cloned the rule and set few exception in the Exception Section as follows,



    Moreover I have created few lists for easy management as follows,


    This is one of those list I have created.

    I tried the rule testing feature also but it won't whitelist the domains I excluded.

    Since then I tried excluding in rule condition section as follows,


    This won't work either. Still triggering the alarms for the whitelisted domains as well.

    Following is a sample log that I'm trying to whitelist


    Any suggestions on this matter?

    Regards,
    Isuru
    HugoPinto
    HugoPinto
    Visitor III
    June 25, 2020

    Hi,

    O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.

    Try to pass 1 Folder on rule exceptions

    like this  A IN A OR 
    A IN B OR


    -------------------------------------------
    Original Message:
    Sent: Jun 22, 2020 03:32 AM
    From: Isuru Tharanga
    Subject: FortiSIEM - Rule Exceptions not working

    RAW logs
    Original Message:
    Sent: Jun 18, 2020 02:27 AM
    From: Daniel Hanman
    Subject: FortiSIEM - Rule Exceptions not working

    Hi Isuru, Sorry for the delay.

    Can you send me that test event? I want to test this out in the lab.

    Looking at the rule, this should work.

    What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.

    Thanks

    Dan
    Original Message:
    Sent: May 29, 2020 02:09 AM
    From: Isuru Tharanga
    Subject: FortiSIEM - Rule Exceptions not working

    Hi,

    I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

    I cloned the rule and set few exception in the Exception Section as follows,



    Moreover I have created few lists for easy management as follows,


    This is one of those list I have created.

    I tried the rule testing feature also but it won't whitelist the domains I excluded.

    Since then I tried excluding in rule condition section as follows,


    This won't work either. Still triggering the alarms for the whitelisted domains as well.

    Following is a sample log that I'm trying to whitelist


    Any suggestions on this matter?

    Regards,
    Isuru
    Terms & ConditionsAccessibility statement