Technical Tip: Finding a Rule Based on Incident Event Type

When testing FortiSIEM configurations and creating custom rules, incidents may not appear in the Incidents tab but can still be found in the Analytics tab when using the search filter 'System Event Category = 1'. Since incidents and rules are stored in the PostgreSQL database, follow these steps to identify the relevant rule:

1. Retrieve the Rule ID from the Incident Event Type: On Supervisor CLI, run the following command, replacing <Incident Event Type> with the Event Type observed in Analytics:
   
   

psql -U phoenix phoenixdb
SELECT incident_et, rule_id from ph_incident WHERE incident_et='<Incident Event Type>';

If the exact Incident Event Type is unclear, use:

psql -U phoenix phoenixdb
SELECT incident_et, rule_id from ph_incident WHERE incident_et LIKE '<Incident Event Type>';

Example:

2. Find the Corresponding Rule: Once the rule_id is obtained, use it in the following command to retrieve the rule details:
   
   

psql -U phoenix phoenixdb
SELECT * FROM ph_drq_rule WHERE id='XXXXXX'; <----- Replace XXXXXX with the retrieved rule_id.

This method allows the mapping of an Incident Event Type to its corresponding rule, aiding in troubleshooting and rule validation.

Related document: