Technical Tip: How to fetch a list of rules which contains a specific event type in FortiSIEM

The steps outlined here can help in preparing a list of rules which contains certain event types in the rule Sub-pattern.

The event type 'FortiGate-appctrl-ips-pass' is part of the 'Permitted Net Traffic' Group in Resources -> Event types. The permitted Net Traffic Group is referenced in many default rules in FortiSIEM.

In order to query for the specific list of rules, it is important to know how the Permitted Net Traffic Group has been named in the database. The same information can be found in the URL below after logging into FortiSIEM.

Open a new tab and enter the URL below by substituting the actual IP/FQDN of the FortiSIEM Supervisor for <IP>.

https://<IP>/phoenix/rest/dataRequest/rule 

Find the specific rule name from the URL above, which will contain the Permitted Net Traffic Group.

For example: the rule name is 'Permitted Traffic from OpenCTI Malware IP List'. 

The database query below will help with getting the list of rules which contains the Permitted Net Traffic Group in the sub-pattern.

psql -U phoenix phoenixdb -c "select name from ph_drq_rule where rule_xml ilike '%PH_SYS_EVENT_PermitNetTraffic%';" > /tmp/rules.txt

Check /tmp/rules.txt to get the list of respective rules.

Similarly, the event type can be replaced instead of PH_SYS_EVENT_PermitNetTraffic to fetch any other list of rules.