Help
FortiSIEM Discussions
bhinangt
New Contributor III

Created on ‎05-07-2024 07:27 AM

How do i get devices not sending logs in last 24 hours in report?

I can use nested query to search the devices not sending logs, but when I save this query as report results are coming wrong.

 

How everyone else here gets devices not sending logs in last 24 hours?

Labels:
935
0 Kudos
6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Created on ‎05-09-2024 09:07 PM

Hello bhinangt,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
879
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎05-14-2024 12:36 AM

Hello bhinangt,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
849
bhinangt
New Contributor III

Created on ‎05-14-2024 02:15 AM

So far what I have done is:

Step 1: Created report for reporting device using event count

But this report will only fetch devices who are sending logs and not all devices

 

Step 2: I used CMDB search for nested report to search reporting IP not in Step 1 report.

 

Results are perfect if i use search, but same query when saved as report is giving in correct data.

 

Why i need report?

Because I need to generate alert by running one report every 24 hours in automated manner and sending it to my ticketing tool, I cannot rely on staff to do this search query manually every day.

843
0 Kudos
adem_netsys
Contributor
In response to bhinangt

Created on ‎05-14-2024 03:08 AM

Hi @bhinangt 

 

So far I have used FortiSIEM's default "no logs from a device" rule, but I haven't tested it much, have you tried turning it into a report and using it?

827
0 Kudos
nisse
New Contributor II
In response to bhinangt

Created on ‎07-01-2024 07:25 AM

I'm dealing with the same issue. Care to share your queries?

Nisse
Nisse
576
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to bhinangt

Created on ‎07-01-2024 03:02 PM

I have quickly tested as follows, let me know if it meets your criteria or not.

 

To get your result you can use a Nested Query, which as you said uses an Event Query to return devices reporting events during a time period, ie: last 24 hours and a CMDB Query to report on Assets in the CMDB.

 

1) Create Event Report .. (Inner Query) .. and save as "Reporting Devices Last Day"

Query .. Empty

Display Fields : Reporting IP, Reporting Device, COUNT(Matched Events)

 

2) CMDB Devices (Main/Outer Query)

 

Choose Query Type of "CMDB Attribute" 

Device IP NOT_IN Report: Reporting Devices Last Day. (and choose Attribute to map to be Reporting IP)

 

nested_query.png

 

For Display Fields use: Device IP, Device Name

 

Save your new report and remember it will be a CMDB Report, which can be scheduled as required.

 

cmdb_scheduled_report.png

 

I tested scheduling the CMDB report, and the results were as expected .. (on 7.2)

 

Is this what you did also?

552
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.