Skip to main content
Akmostafa
Akmostafa
Explorer
March 26, 2026
Question

understanding FotiSIEM baseline rules

  • March 26, 2026
  • 2 replies
  • 154 views

Hello friends.

 

I am having some challenges to understand the structure of the performance baselining and anomaly process in FortiSIEM.

 

As per my readings the following happens:

1. baseline profile is configured in profileReport.xml

FortiSIEM stores the performance events in hourly buckets in the daily.db

2- events are summarized then added to the profile.db

 

So performance data are aggregated and grouped by hour of day and inserted as one entry into the profile table.

The profile table is updated every weekday and weekend, that is one set of data is only present for the most recent workday, old workdays are removed from the table.

 

My question is when we define a rule, we use the stat_avg and stat_stddev functions to compare current data to the data in the profile (base line ) report.

 

Why we calculate the average for baseline data to be comaired with current data, while is should be already calculated and present in the profile table. (that is each hour of day has just one entry for a given source address for instance).

 

 

 

 

    2 replies

    Secusaurus
    Secusaurus
    Contributor III
    April 7, 2026

    Hi @Akmostafa,

     

    I think the reason for the confusion is in the assumption "one set of data is only present for the most recent workday".

    The data in these buckets already is the baseline. It's not the most recent value, but it is the already calculated baseline for this specific hour of workday/weekend.

    So, if you compare e.g. ping-loss-percentage for the last hour against the "last-hour-bucket" in the table, you are comparing "now" (e.g. 95%) against a baseline that has been calculated from weeks of data (probably something like 2%).

    The "now"-value will be inserted into that bucket by a specific formula, which will translate these 95% and long-term 2% to something like 3%.

     

     

    However: In our experience, these baselines are not very useful for most of our customers. Just separating workday and weekend and narrowing down to distinct ip addresses or users has several issues for shift systems (most obvious in hospitals), flexible working hours and home-office and for international companies with different timezones.

    You might want to have a look into the ML algorithms as well, although it's even more confusing if you don't have a data scientist at your side.

     

    Best,

    Christian

    NSE8 | Fortinet Advanced MSSP Partner
    Robbert4sure
    Robbert4sure
    New Member
    May 1, 2026

    Hey, you’re actually pretty close in your understanding of FortiSIEM’s baseline flow. The key point is that the profile table stores aggregated historical values per time bucket, but the rule engine still recalculates stat_avg and stat_stddev dynamically to make anomaly detection more flexible and statistically consistent. This helps handle variations and avoids relying on a single static baseline value that might be outdated or incomplete. So even though data is pre-aggregated, recalculation ensures more accurate real-time comparisons.

    Robbert4Sure
    Terms & ConditionsAccessibility statement