- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New User - Getting Hammered by False Positives
Newbie looking for a link or general guide that will help me tweak some of these alerts. One in particular:
Rule |
Rule Name: Ransomware detected on a host |
Remediation: |
Rule Description: Identifies excessive non-executable file changes by the same process on a Windows host. Requires Windows Security logs or FortiSIEM Agent to be running on the host. |
Seems to occur anytime a user copies a folder. Help!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Andy409 ,
This is the expected behaviour of a SIEM that has not been optimised towards a particular organisation.
The process would be as follows for optimising a SIEM:
1) Run weekly reports on Incidents that have a closure of False possitive sort by count
2) Review incident with highest count
3) Execute the Rule Pattern as a search query and gather the results
4) Review the logs that trigger the Rule
5) Review Rule Triggers
6) Optimise the Rule, either via exceptions or via cloning the rule and removing triggers.
7) Utilise Dynamic Watch lists within the rule to optimise further.
8) Execute the Rule Pattern as a search query verify outcome is correct.
S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What FortiSIEM version are you using?
Hmm, probably by design of the rule itself, a tough one.
It is looking for 200 or more distinct file name changes in a short period of time.
I assume you are seeing > 200 FINS-Windows-file-renamed events for the same host when copying a folder?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We use 7.1.2. The weird thing is it seems to pick up reads. It is our primary fileshare so people do copy, move and change stuff all day.
Thanks for the response. Maybe we just double the number?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So my Qs would be ..
1) do they change > 200 files in 5 minutes?
2) if so.. how many events over the 200 count is the match?
3) Is the user presented in the events? is it the same user or different users?
4) is it only the read event you are seeing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Andy409 ,
This is the expected behaviour of a SIEM that has not been optimised towards a particular organisation.
The process would be as follows for optimising a SIEM:
1) Run weekly reports on Incidents that have a closure of False possitive sort by count
2) Review incident with highest count
3) Execute the Rule Pattern as a search query and gather the results
4) Review the logs that trigger the Rule
5) Review Rule Triggers
6) Optimise the Rule, either via exceptions or via cloning the rule and removing triggers.
7) Utilise Dynamic Watch lists within the rule to optimise further.
8) Execute the Rule Pattern as a search query verify outcome is correct.
S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need to see what the process is that is causing the read or writes and see if this can be excluded in the default rule.
If you can sanitise and share the raw logs so that we can understand the process or directories we can look further.
![](/skins/images/EC9FF2F7BE06D4243426EA19DD2C8052/responsive_peak/images/icon_anonymous_message.png)