Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan-------------------------------------------
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan-------------------------------------------
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RAW logs-------------------------------------------
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.
Try to pass 1 Folder on rule exceptions
like this A IN A OR
A IN B OR
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru-------------------------------------------
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru-------------------------------------------
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi,
O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.
Try to pass 1 Folder on rule exceptions
like this A IN A OR
A IN B OR
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hugo,
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru-------------------------------------------
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru-------------------------------------------
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi,
O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.
Try to pass 1 Folder on rule exceptions
like this A IN A OR
A IN B OR
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Isuru,
We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.
In our case we resolve the issue by killing the Java
SSH to Super.
Killall -9 java
phstatus -a
Regards
Hugo Pinto
Claranet Portugal-------------------------------------------
Original Message:
Sent: Jun 25, 2020 09:52 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.
In our case we resolve the issue by killing the Java
SSH to Super.
Killall -9 java
phstatus -a
Regards
Hugo Pinto
Claranet Portugal-------------------------------------------
Original Message:
Sent: Jun 25, 2020 09:52 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi,
O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.
Try to pass 1 Folder on rule exceptions
like this A IN A OR
A IN B OR
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bug where redis caching doesn't receive updated copies of objects from the super on workers should be fixed in 5.3.2. This only occurs if you restarted redis after java (aka appserver) has already been started. The proper ordering of start is redis first, and then app server.
As for exceptions not working, on upgrade certain natural_ids for objects in the postgres db contain special characters that aren't handled correctly by phQueryMaster/Worker.
Fortinet will have to guide you on removing %2d (for -) for certain object names in the natural id, or the char representation of whitespace for natural ids of certain objects.
-------------------------------------------
Original Message:
Sent: Jul 16, 2020 03:37 AM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru,
We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.
In our case we resolve the issue by killing the Java
SSH to Super.
Killall -9 java
phstatus -a
Regards
Hugo Pinto
Claranet Portugal
Original Message:
Sent: Jun 25, 2020 09:52 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
As for exceptions not working, on upgrade certain natural_ids for objects in the postgres db contain special characters that aren't handled correctly by phQueryMaster/Worker.
Fortinet will have to guide you on removing %2d (for -) for certain object names in the natural id, or the char representation of whitespace for natural ids of certain objects.
-------------------------------------------
Original Message:
Sent: Jul 16, 2020 03:37 AM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru,
We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.
In our case we resolve the issue by killing the Java
SSH to Super.
Killall -9 java
phstatus -a
Regards
Hugo Pinto
Claranet Portugal
Original Message:
Sent: Jun 25, 2020 09:52 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
I have setup the rule exceptions as you mentioned,
and added the "Destination Host name" attribute to the group by fields as follows,
But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,
Still the rule will trigger for an IP in the range as follows,
Cheers,
Isuru
Original Message:
Sent: Jun 25, 2020 08:54 PM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi Hugo,
Thanks for the insight. I'll try it and let you know.
Regards,
Isuru
Original Message:
Sent: Jun 25, 2020 03:18 PM
From: Hugo Pinto
Subject: FortiSIEM - Rule Exceptions not working
Hi,
O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.
Try to pass 1 Folder on rule exceptions
like this A IN A OR
A IN B OR
Original Message:
Sent: Jun 22, 2020 03:32 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
RAW logs
Original Message:
Sent: Jun 18, 2020 02:27 AM
From: Daniel Hanman
Subject: FortiSIEM - Rule Exceptions not working
Hi Isuru, Sorry for the delay.
Can you send me that test event? I want to test this out in the lab.
Looking at the rule, this should work.
What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.
Thanks
Dan
Original Message:
Sent: May 29, 2020 02:09 AM
From: Isuru Tharanga
Subject: FortiSIEM - Rule Exceptions not working
Hi,
I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".
I cloned the rule and set few exception in the Exception Section as follows,
Moreover I have created few lists for easy management as follows,
This is one of those list I have created.
I tried the rule testing feature also but it won't whitelist the domains I excluded.
Since then I tried excluding in rule condition section as follows,
This won't work either. Still triggering the alarms for the whitelisted domains as well.
Following is a sample log that I'm trying to whitelist
Any suggestions on this matter?
Regards,
Isuru
