Skip to main content
amacready
amacready
New Member
April 16, 2025
Question

Attribute not appearing in incident title

  • April 16, 2025
  • 4 replies
  • 1278 views

I have created a rule to detect whenever there is a successful VPN login.  I have the incident title set as:
"Successful VPN login from $user at IP $srcIpAddr to $userGrp"

 

However, the "$userGrp" attribute is not displaying as expected.  Instead, it comes through as the "$user" attribute followed by "Grp".

 

Example: I (amacready) logon as part of the "Standard" user group

Desired result: "Successful VPN login from amacready at IP 1.2.3.4 to Standard" 

Actual result: "Successful VPN login from amacready at IP 1.2.3.4 to amacreadyGrp" 

 

Is anyone able to suggest where I'm going wrong?

4 replies

Stephen_G
Moderator
Stephen_G
Moderator
April 20, 2025

Hello amacready,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

If anyone viewing this topic has any knowledge on this, I encourage you to reply.

 

Thanks,

Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
April 24, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
April 27, 2025

While we get you further help, here are some steps to try in the meantime:

1. Verify Attribute Mapping: Ensure that the `$usergrp` attribute is correctly mapped to the user group information in your FortiSIEM configuration. Check the attribute mapping settings to confirm that it is pulling the correct data.
2. Check Event Parsing: Review the event parsing logic to ensure that the user group information is being correctly extracted from the log data. This might involve checking the parsing rules or patterns used to identify and extract the user group.
3. Review Rule Configuration: Double-check the rule configuration to ensure that the `$usergrp` variable is correctly defined and used. Make sure there are no typos or misconfigurations in the rule syntax.
4. Test with Sample Data: Use sample log data to test the rule and see if the issue persists. This can help identify if the problem is with the rule logic or the incoming data.

Stephen_G - Fortinet Community Team
    amacready
    amacreadyAuthor
    New Member
    April 29, 2025

    Hi Stephen,

     

    Thank you for your assistance and those suggestions.  I can confirm that the User Group attribute is definitely pulling through the right data, as I have used it in the SubPattern definition for my rule, to exclude VPN logins for a particular User Group (and I can confirm that this is working, as no incidents have been generated for that User Group).

     

    The variable "$userGrp" came from using the "Insert Attribute" drop down and selecting "User Group" so I believe it's the correct syntax.

     

    I have configured the system to send me an email when an incident is generated from this rule, and I can confirm that the body of that email correctly displays the value for the User Group.  It's just the incident title that doesn't seem to pull it through.

     

    Regards,

    Alison

      Stephen_G
      Moderator
      Stephen_G
      Moderator
      May 1, 2025

      Hi again Alison,

       

      Can we recommend you open a ticket with TAC and attach your FortiSIEM -> Resources -> Rules configuration for us to examine this? It definitely sounds like this is a bug.

      Stephen_G - Fortinet Community Team
      Terms & ConditionsAccessibility statement