Hi All, Could really use some help/ideas on this below currently we have FortiSIEM but it just produces too many false positives, can't really see the most important incidents from all the incidents it produces.
How can we reduce the amount of false positives produced? Any exclusions and rules we need to target and customize for this? we also see a lot of Permitted Traffic from Emerging Threat IP and Permitted Traffic from FortiGuard Malware IP List. surely if these are coming up as malicious surely Forti guard database should be blocking them if they are? do we have to add or find more databases to integrate them to FortiSIEM to block theses malicious IP's? Hope to hear from you all.
Thank you in advance.
Hi @yadde ,
To reduce false positives you can perform the below:
- Create a watchlist and add that in rule exceptions. Like the rule not to be triggered for certain IPs or users.
Documentation :
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Watch_list.htm
https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/Creating-rules.html#Defining3
- Deactivate any rules that is not required.
- Rule exception based on time, not to trigger at off business hours etc
- Increase time window in rule to be triggered
- Define clear clear conditions
For rules related to Fortiguard ip block, if remediation configured correctly then it should block the IP.
Regarding integrating other threatfeed you would need to decide this.
Hi Yadde, I'd be interested to know what are the rules you consider to be false positive, maybe there is some tuning of the rules that are false positives.
If you are seeing peritted traffic inbound from IOC on threat feeds, you should investigate further. If you are seeing it trigger against Fortiguard then check the IoC on ioc.fortiguard.com (requires a FortiSIEM IOC threatfeed subscription) for more details.
You can also enable IoC lookups both in real time via notification policies and adhoc using this https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Integration-settings.htm#Configur9
Hi @yadde,
Just one side-note: In our SOC (currently on FSM v7.1.3) our analysts obviously trained the ai enough to sort out a lot of false positives already; they make use of the "Incident Resolution Recommendation", see: https://help.fortinet.com/fsiem/7-1-4/Online-Help/HTML5_Help/incident_resolution_recommendation.htm
Best,
Christian
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.