Help
FortiSIEM Discussions
jrpayne
New Contributor

Created on ‎06-12-2024 12:41 PM

Executable file posting rule

I have just deployed FortiSIEM and I am now working through the process of tuning it.
I have a rule that is being triggered (Executable file posting from an external source)
to our reverse proxy server. The commands are known commands of .aspx pages and I would
like to filter that traffic based on the commands that it sees being posted. However, I
am not sure that is the best or most secure way to do it or even if it is possible.
It doesn't seem like an exception is the proper way to do this so I wanted to get some expert
opinions.

Labels:
185
0 Kudos
2 REPLIES 2
Stephen_G
Moderator
Moderator

Created on ‎06-16-2024 02:55 PM

Hi jrpayne,

 

I have moved your post to the FortiSIEM community group, where you are more likely to receive a reply.

 

Kind regards,

Stephen - Fortinet Community Team
127
0 Kudos
Secusaurus
Contributor

Created on ‎06-17-2024 01:35 AM

Hello @jrpayne,

 

First thing, you should get familiar with rules and how they are designed. First start could be the documentation: https://help.fortinet.com/fsiem/7-1-7/Online-Help/HTML5_Help/Rules.htm

I would also recommend the Fortinet NSE training (FCP FortiSIEM) for this very complex product.

 

In general, rules look at the input data with filters, just as you do in the Analytics pane. They then use an aggregation function (in the Analytics pane the group by possibility on the upper right), usually for counting how many of these events happend in a defined timeframe.

(simplified) The rule engine then checks every 30 seconds if the conditions are met and raises an Incident, if yes. Only in that moment, the engine will check for your exceptions, which means two things:

1) In the resulting table in RAM, the things you like to filter by must be present

2) All the calculation and lookup has already happend. So the CPU and RAM had to be used for this, event if an exceptions results in no Incident being thrown.

 

As a conclusion, best way always is to edit the rule and not the exceptions.

In your case, you would configure the condition so that it excludes events that are related to your specified applications. You can just use the Analytics view to try to get a result that matches your needs.

 

If you do not want to get application logs at all, you can pre-filter the logs already before they are stored into the eventDB.

 

In case you need further help, feel free to ask.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
102
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.