I can use nested query to search the devices not sending logs, but when I save this query as report results are coming wrong.
How everyone else here gets devices not sending logs in last 24 hours?
Hello bhinangt,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello bhinangt,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
So far what I have done is:
Step 1: Created report for reporting device using event count
But this report will only fetch devices who are sending logs and not all devices
Step 2: I used CMDB search for nested report to search reporting IP not in Step 1 report.
Results are perfect if i use search, but same query when saved as report is giving in correct data.
Why i need report?
Because I need to generate alert by running one report every 24 hours in automated manner and sending it to my ticketing tool, I cannot rely on staff to do this search query manually every day.
Hi @bhinangt
So far I have used FortiSIEM's default "no logs from a device" rule, but I haven't tested it much, have you tried turning it into a report and using it?
I'm dealing with the same issue. Care to share your queries?
I have quickly tested as follows, let me know if it meets your criteria or not.
To get your result you can use a Nested Query, which as you said uses an Event Query to return devices reporting events during a time period, ie: last 24 hours and a CMDB Query to report on Assets in the CMDB.
1) Create Event Report .. (Inner Query) .. and save as "Reporting Devices Last Day"
Query .. Empty
Display Fields : Reporting IP, Reporting Device, COUNT(Matched Events)
2) CMDB Devices (Main/Outer Query)
Choose Query Type of "CMDB Attribute"
Device IP NOT_IN Report: Reporting Devices Last Day. (and choose Attribute to map to be Reporting IP)
For Display Fields use: Device IP, Device Name
Save your new report and remember it will be a CMDB Report, which can be scheduled as required.
I tested scheduling the CMDB report, and the results were as expected .. (on 7.2)
Is this what you did also?
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.