Skip to main content
uns8eshow
uns8eshow
Visitor III
April 16, 2025
Solved

New Host Detected use case / rule

  • April 16, 2025
  • 3 replies
  • 886 views

Hello community, I am new to FortiSIEM, I want to build a rule to detect new devices in my network, I had the idea to create like a list containing MAC addresses and a rule to check each time if a mac is in that list if not it will trigger an incident and add the mac address to the list (if you are familiar with qradar it is like a reference set), the problem is I don't know if that is applicable also in FortiSIEM or there is another approach to solve the problem??? any idea is appreciated, thank you in advance.

Best answer by uns8eshow

Hello again,

I found a workaround to implement this using just the SIEM. Here is what I did:

First, I performed a search and grouped all MAC addresses found in the SIEM over the last 7 days.

I sanitized the list and added it to the SIEM as a watch list by importing a CSV file.

Then, I created a rule to check whether the newly collected MAC addresses are on that list or not. If a MAC address is not on the list, it triggers an incident and adds that MAC address to the list.

I hope this can help anyone trying to implement the same thing. I am open to any further development of the context.

Have a good day.

3 replies

AEK
SuperUser
AEK
SuperUser
April 16, 2025

Hi

I don't have idea how can do this with SIEM, but I know that is easily done with a NAC solution.

AEK
    uns8eshow
    uns8eshowAuthor
    Visitor III
    April 17, 2025

    Thank you for your reply.

    uns8eshow
    uns8eshowAuthorAnswer
    Visitor III
    April 18, 2025

    Hello again,

    I found a workaround to implement this using just the SIEM. Here is what I did:

    First, I performed a search and grouped all MAC addresses found in the SIEM over the last 7 days.

    I sanitized the list and added it to the SIEM as a watch list by importing a CSV file.

    Then, I created a rule to check whether the newly collected MAC addresses are on that list or not. If a MAC address is not on the list, it triggers an incident and adds that MAC address to the list.

    I hope this can help anyone trying to implement the same thing. I am open to any further development of the context.

    Have a good day.

      AEK
      SuperUser
      AEK
      SuperUser
      April 18, 2025

      Hi

      Thanks for sharing.

      Nice job! I love the idea, and I see how much we can do unimaginable tricks with SIEM.

      You can mark your response as solution.

      AEK
        Terms & ConditionsAccessibility statement