Troubleshooting Tip: Incident triggering from outdated Sigma rule which is not present in GUI

This type of issue generally occurs for Sigma rules. To clarify, Sigma rules are sourced directly from GitHub and are not custom-created. These rules are dynamically updated as part of FortiSIEM content update process.

However, it's been observed an issue in certain cases where previously triggered incidents related to these deprecated rules remain stored in the database. So if it's not present in the rules in GUI then it means that it has been dynamically updated as part of FortiSIEM content update process and these sigma rules are not been there or being updated by other rules as per content update part.

To resolve this, import the Sigma Rule manually in the Super CLI as per the process below:

git clone https://github.com/SigmaHQ/sigma.git

cd sigma

Example:

wget https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml 

In previous versions, the name was Windows: Outbound Kerberos Connection From Suspicious Executables.

In recent versions, the name is Windows: Uncommon Outbound Kerberos Connection.

If that does not work, it is necessary to manually import the rule as explained in Importing Sigma Rules.

Provide the following URL: win_security_susp_outbound_kerberos_connection.yml.