Help
FortiSIEM Discussions
labsession101
New Contributor

Created on ‎10-12-2023 12:58 AM

FortiSIEM fine tuning

Hi,

Any tips or documentation for fine tuning the fortiSIEM rules/incident alert?
Trying to improve or add fine tuned rules / incident alerts we are getting from the fortiSIEM.

 

Thank you.

1231
0 Kudos
2 Solutions
Secusaurus
Contributor II

Created on ‎10-12-2023 01:18 AM

Hi labsession101,

 

Are you using a multi tenant version or enterprise version? In a multi tenant environment you need to consider that fine-tuning could (but does not need to) be different for each tenant.

 

Anyways, we are using the following processes here:

  • Avoid making exceptions. E.g.: If a rule should not match on a specific device, either the device is in the "wrong" CMDB group or there are more general reason for not using the rule here, instead of excluding a single device.
    In our experience, the more exceptions you create, the more difficult it is to reproduce why something happened but we did not see an Incident
  • Copy a rule, disable it and refine the copy. If you need to get back to the original one, you can also get the original idea again.
  • (generally for rules) Avoid inserting single values, like an exact IP address. Try to use CMDB/resource values as often as possible to be flexible for other tenants
  • We do always write down changes to rules in a separate document/wiki. Ca. once a month, we review all the refined rules, if the refinement still makes sense.

Does this help? Or are you looking for specific examples of refinements here?

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

FCP & FCSS Security Operations | Fortinet Advanced Partner
1222
Secusaurus
Contributor II
In response to labsession101

Created on ‎10-13-2023 01:41 AM

Hi labsession101,

 

No, we don't send all incidents per mail (btw: use the mail encryption feature for this), because this would be an immense load to look through. Looking at the incidents on FSM itself is way better (assuming you have analysts that look at these all the time).

 

Our analysts receive the HIGH prio incidents, if they want, but only the "active" states. Our supervisors receive the HIGH prio with "clear" events as well, if they want.

But most notifications from our FSM deployment are from cases, not from incidents.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

FCP & FCSS Security Operations | Fortinet Advanced Partner
1186
0 Kudos
5 REPLIES 5
Secusaurus
Contributor II

Created on ‎10-12-2023 01:18 AM

Hi labsession101,

 

Are you using a multi tenant version or enterprise version? In a multi tenant environment you need to consider that fine-tuning could (but does not need to) be different for each tenant.

 

Anyways, we are using the following processes here:

  • Avoid making exceptions. E.g.: If a rule should not match on a specific device, either the device is in the "wrong" CMDB group or there are more general reason for not using the rule here, instead of excluding a single device.
    In our experience, the more exceptions you create, the more difficult it is to reproduce why something happened but we did not see an Incident
  • Copy a rule, disable it and refine the copy. If you need to get back to the original one, you can also get the original idea again.
  • (generally for rules) Avoid inserting single values, like an exact IP address. Try to use CMDB/resource values as often as possible to be flexible for other tenants
  • We do always write down changes to rules in a separate document/wiki. Ca. once a month, we review all the refined rules, if the refinement still makes sense.

Does this help? Or are you looking for specific examples of refinements here?

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
1223
labsession101
New Contributor
In response to Secusaurus

Created on ‎10-12-2023 01:24 AM

Hi Chris,

Thank for your inputs. Will take these into consideration.
This is an enterprise deployment only so no other tenants needs to be considered.

So far what we have tried is to clone the default rule and edit it per our requirement.

was looking for other way or better way making fine tuning,

1220
0 Kudos
FSM_FTNT
Staff
Staff
In response to Secusaurus

Created on ‎10-12-2023 01:43 AM

There are some very good tips here about cloning and modifying the rule. Tracking why you made a change to a rule in a wiki is a very good approach. I've seen users put a link into the Description or Remediation notes to the wiki on what changes were made, why they were made and specific steps that should be taken if the rule triggers.

1216
0 Kudos
labsession101
New Contributor
In response to FSM_FTNT

Created on ‎10-12-2023 11:00 PM

In case of setting email alert, do you set to send all email alert or you just pick the high and medium incidents? (assuming this is a freshly deployed one)


although I was thinking that sometimes low incident like credentials invalid login should be part of email alert even this one is tagged as low in fortisiem.

1197
0 Kudos
Secusaurus
Contributor II
In response to labsession101

Created on ‎10-13-2023 01:41 AM

Hi labsession101,

 

No, we don't send all incidents per mail (btw: use the mail encryption feature for this), because this would be an immense load to look through. Looking at the incidents on FSM itself is way better (assuming you have analysts that look at these all the time).

 

Our analysts receive the HIGH prio incidents, if they want, but only the "active" states. Our supervisors receive the HIGH prio with "clear" events as well, if they want.

But most notifications from our FSM deployment are from cases, not from incidents.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
1187
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.