CMDB Report

mohamed44 · ‎06-30-2024

Hi All,

I am running CMDB Reports toward incidents I need to get incident triggered for example 4 days ago what attribute i should use and the values of those attributes

I was trying to configure one see the image below

FortiSIEM

#CMDB

thanks, on advance

Muhammed

sioannou · ‎07-01-2024

Hi @mohamed44 ,

When working with FortiSIEM time in searches or API queries is in Epoch time. Have a look at the article https://community.fortinet.com/t5/FortiSIEM/Technical-Tip-How-to-purge-events-for-an-organization-fr... - Section Date.

Also if I can ask what version of FortiSIEM are you using? I don't remember Incident First Seen as variable, I think the variable is Incident First Occurrence Time.

Regards,

S

mohamed44 · ‎07-01-2024

Dear @sioannou I'm working on FortiSIEM version 7.1.3, and I notice that the attribute called:

Incident First Occurrence Time

but it won't appear while running or configuring CMDB report for incident

BR

update I tried to use the epoch time but did not work

Muhammed

sioannou · ‎07-01-2024

Hi @mohamed44 ,

CMDB reports are purely for CMDB (devices under monitoring), they do not contain any information on Incidents nor can you create a report for Incidents under CMDB Reports.

If you are looking into developing a new Incident Report than the best option is to go to Resources-> Reports -> Incidents, find a relevant report load it into analytics, make necessary customisations and then save it as a new report for future reference.

When working with analytics if you are looking for information not in the Events (i.e. System Event Category = 0), then you need to specify the System Event Category as shown https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Event-categories-handling.htm

Regards,

S

CMDB Report

Nominate a Forum Post for Knowledge Article Creation