Troubleshooting Tip: FortiSIEM disable rules that are triggered
Description
This article provides a method to troubleshoot FortiSIEM disabled rules that are triggered.
Scope
FortiSIEM.
Solution
From v7.1.x onwards, the rule_xml column is added to the ph_drq_rule table in the Phoenix Database. It will be the main priority for FortiSIEM to determine the configuration of the rules. As a result, users may experience the issues below:
- Disabled rules are triggered.
- Customize rules are triggered at the wrong severity.
In that case, users can apply the solution by enabling and disabling the rules via GUI under Resources -> Rules again. It will synchronize the XML configuration to the database.
In v7.2.x onwards, the XML has added configuration below:
<active> true </active>
Users may experience the same issues mentioned above. It can be verified via the command below:
#psql -U phoenix phoenixdb -c "SELECT COUNT(*) from ph_drq_rule WHERE active='f';"
#psql -U phoenix phoenixdb -c "SELECT COUNT(*) from ph_drq_rule WHERE rule_xml LIKE '%<active>true</active>%';"
Although the 'active' column is showing 'f', the FortiSIEM will prioritize the status in the XML configuration and continue to trigger.
In that case, users can apply the same solution above.
Note:
If users have multiple rules to fix, users need to upgrade to v7.3.0 and it is fixed permanently.
Related article:
Technical Tip: How to export all customized rules