FortiSIEM Discussions
yadde
New Contributor

Fortisiem question

Hi All, Could really use some help/ideas on this below currently we have FortiSIEM but it just produces too many false positives, can't really see the most important incidents from all the incidents it produces.

How can we reduce the amount of false positives produced? Any exclusions and rules we need to target and customize for this? we also see a lot of Permitted Traffic from Emerging Threat IP and Permitted Traffic from FortiGuard Malware IP List. surely if these are coming up as malicious surely Forti guard database should be blocking them if they are? do we have to add or find more databases to integrate them to FortiSIEM to block theses malicious IP's? Hope to hear from you all.

Thank you in advance.

VidMate
3 REPLIES 3
premchanderr
Staff
Staff

Hi @yadde ,

 

To reduce false positives you can perform the below:

-  Create a watchlist and add that in rule exceptions. Like the rule not to be triggered for certain IPs or users. 

Documentation :
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Watch_list.htm
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Creating-rules.html#Defining3 

 

- Deactivate any rules that is not required. 

- Rule exception based on time, not to trigger at off business hours etc 

- Increase time window in rule to be triggered

- Define clear clear conditions 

 

For rules related to Fortiguard ip block, if remediation configured correctly then it should block the IP.

Regarding integrating other threatfeed you would need to decide this. 

Regards,
Prem Chander R
FSM_FTNT
Staff
Staff

Hi Yadde, I'd be interested to know what are the rules you consider to be false positive, maybe there is some tuning of the rules that are false positives.

If you are seeing peritted traffic inbound from IOC on threat feeds, you should investigate further. If you are seeing it trigger against Fortiguard then check the IoC on ioc.fortiguard.com (requires a FortiSIEM IOC threatfeed subscription) for more details.

 

You can also enable IoC lookups both in real time via notification policies and adhoc using this https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Integration-settings.htm#Configur9

Secusaurus
Contributor II

Hi @yadde,

 

Just one side-note: In our SOC (currently on FSM v7.1.3) our analysts obviously trained the ai enough to sort out a lot of false positives already; they make use of the "Incident Resolution Recommendation", see: https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/incident_resolution_recommendation.htm

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"