Hello
I have a rule called "Successful Windows Dormant Account Logon" which works great, but i would need to tweak the number of days it responds to but can't figure out how to change the number of days SIEM acts on since last login (which is detected by LDAP sync).
The rule consists of "Group@PH_SYS_EVENT_HostLogonSuccess,Group@PH_SYS_EVENT_DomainLogonSuccess" and "Group@PH_DYNLIST_DORMANT_USERS" which are Event Types. I don't understand the connection between Event Types and the rule itself which only consists of Event Types which cannot be changed (?).
How can i change the rule containing the attribute "Event Type=Group@PH_SYS_EVENT_HostLogonSuccess,Group@PH_SYS_EVENT_DomainLogonSuccess" to act on more days than 30?
Or less if i want to....?
I can't manage to read up on this somehow.
I would humbly like to get a complete explanation of how Event Types work in SIEM and how the connection is to the rule itself as well as how to change these values. I've copied system rules before and changed the content to suit our environment but now I'm stuck on this.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @pr7 ,
The rule is triggered for users in Group PH_DYNLIST_DORMANT_USERS .
"PH_DISCOV_ADS_DORMANT_ACCT" is for AD users that are not logged in for more than 30 days. Basically upon discovery users are added into group PH_DYNLIST_DORMANT_USERS .
So when these users get a logon it then matches the pattern and triggers the rule.
You can analyze the fields from parsed log to see what further tweak can be done.
Regarding your specific query to act on more or less than 30 days, look for the field [daysSinceLastLogon] and use it in rules accordingly.
Thanks for the answer!
However, I cannot for my life figure out how to find daysSinceLastLogon and further manage this via a tweaked rule. I certainly wouldn't say no to some kind of instruction around this.
Note that I am relatively new to this particular SIEM product and haven't gotten that far yet in my FortiSIEM journey.
Thank you again for your commitment.
Hi @pr7 ,
When I run LDAP Discovery I get this field automatically.
Sample log:
[user]=,[userFullName]=33e3bf06-98e1-473c-85e6-5495c3e4y52e,[userDN]=CN=33e3bf06-98e1-473c-85e6-5495c3e4y52e,CN=e50bb63a-03b-49fe-ae38-df459e2d34d1,CN=BDWS,CN=Microsoft,CN=Program Data,DC=globalTech,DC=local,[lastLogon]=0,[daysSinceLastLogon]=19420,[phLogDetail]=
If you aren't receiving it then do review the LDAP DIscovery integration as per document. Since its specific to your system and involves checking your environment, better to open support ticket for further clarification.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.