Help
FortiSIEM Discussions
Martin_Sa
New Contributor

Created on ‎09-01-2023 09:02 AM

Analyze incident "FortiSIEM: Too Many Unknown Events"

Hello,

how can we find out from which log source are the events that can not be parsed?

 

This is not clear from the Incident or RAW log, it only says the collector. Any ideas? Thanks in advance!

Greetings
Martin

Labels:
495
0 Kudos
1 REPLY 1
cdurkin_FTNT
Staff
Staff

Created on ‎09-01-2023 09:15 AM

I would suggest the easiest way would be to create an Analytic search...

 

Condition:  Event Type = Unknown_EventType.  (or simply Event Type CONTAIN Unknown_)

 

Group By: Reporting IP & Count (Matched Events)

 

This will display which host is reporting the most Unknown Events and then you can pivot from there to view the raw messages if required.

483
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.