Help
FortiSIEM Discussions
yadde
New Contributor

Created on ‎03-18-2024 05:38 AM

Fortisiem question

Hi All, Could really use some help/ideas on this below currently we have FortiSIEM but it just produces too many false positives, can't really see the most important incidents from all the incidents it produces.

How can we reduce the amount of false positives produced? Any exclusions and rules we need to target and customize for this? we also see a lot of Permitted Traffic from Emerging Threat IP and Permitted Traffic from FortiGuard Malware IP List. surely if these are coming up as malicious surely Forti guard database should be blocking them if they are? do we have to add or find more databases to integrate them to FortiSIEM to block theses malicious IP's? Hope to hear from you all.

Thank you in advance.

VidMate
VidMate
Labels:
778
3 REPLIES 3
premchanderr
Staff
Staff

Created on ‎03-18-2024 10:30 PM

Hi @yadde ,

 

To reduce false positives you can perform the below:

-  Create a watchlist and add that in rule exceptions. Like the rule not to be triggered for certain IPs or users. 

Documentation :
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Watch_list.htm
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Creating-rules.html#Defining3 

 

- Deactivate any rules that is not required. 

- Rule exception based on time, not to trigger at off business hours etc 

- Increase time window in rule to be triggered

- Define clear clear conditions 

 

For rules related to Fortiguard ip block, if remediation configured correctly then it should block the IP.

Regarding integrating other threatfeed you would need to decide this. 

Regards,
Prem Chander R
755
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎03-19-2024 12:40 AM

Hi Yadde, I'd be interested to know what are the rules you consider to be false positive, maybe there is some tuning of the rules that are false positives.

If you are seeing peritted traffic inbound from IOC on threat feeds, you should investigate further. If you are seeing it trigger against Fortiguard then check the IoC on ioc.fortiguard.com (requires a FortiSIEM IOC threatfeed subscription) for more details.

 

You can also enable IoC lookups both in real time via notification policies and adhoc using this https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Integration-settings.htm#Configur9

750
0 Kudos
Secusaurus
Contributor II

Created on ‎03-19-2024 07:09 AM

Hi @yadde,

 

Just one side-note: In our SOC (currently on FSM v7.1.3) our analysts obviously trained the ai enough to sort out a lot of false positives already; they make use of the "Incident Resolution Recommendation", see: https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/incident_resolution_recommendation.htm

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
743
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.