Help
FortiSIEM Discussions
Andy409
New Contributor

Created on ‎06-03-2024 11:31 AM

New User - Getting Hammered by False Positives

Newbie looking for a link or general guide that will help me tweak some of these alerts.  One in particular: 

Rule

 

Rule Name:  Ransomware detected on a host

Remediation:  

Rule Description:  Identifies excessive non-executable file changes by the same process on a Windows host. Requires Windows Security logs or FortiSIEM Agent to be running on the host.

 

Seems to occur anytime a user copies a folder.  Help!

281
0 Kudos
1 Solution
sioannou
Contributor

Created on ‎06-06-2024 01:06 AM

Hi @Andy409 , 

 

This is the expected behaviour of a SIEM that has not been optimised towards a particular organisation. 

 

The process would be as follows for optimising a SIEM: 

1) Run weekly reports on Incidents that have a closure of False possitive sort by count

2) Review incident with highest count

3) Execute the Rule Pattern as a search query and gather the results

4) Review the logs that trigger the Rule

5) Review Rule Triggers 

6) Optimise the Rule, either via exceptions or via cloning the rule and removing triggers. 

7) Utilise Dynamic Watch lists within the rule to optimise further. 

8) Execute the Rule Pattern as a search query verify outcome is correct.

 

S

View solution in original post

184
5 REPLIES 5
cdurkin_FTNT
Staff
Staff

Created on ‎06-03-2024 11:58 AM

What FortiSIEM version are you using?

 

Hmm, probably by design of the rule itself, a tough one.

 

It is looking for 200 or more distinct file name changes in a short period of time.

 

I assume you are seeing > 200 FINS-Windows-file-renamed events for the same host when copying a folder?

 

 

 

268
Andy409
New Contributor

Created on ‎06-03-2024 01:32 PM

We use 7.1.2.  The weird thing is it seems to pick up reads.  It is our primary fileshare so people do copy, move and change stuff all day.  

 

Thanks for the response.  Maybe we just double the number?

255
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to Andy409

Created on ‎06-06-2024 06:18 AM

So my Qs would be ..

 

1) do they change > 200 files in 5 minutes?

2) if so.. how many events over the 200 count is the match?

3) Is the user presented in the events?  is it the same user or different users?

4) is it only the read event you are seeing?

 

171
sioannou
Contributor

Created on ‎06-06-2024 01:06 AM

Hi @Andy409 , 

 

This is the expected behaviour of a SIEM that has not been optimised towards a particular organisation. 

 

The process would be as follows for optimising a SIEM: 

1) Run weekly reports on Incidents that have a closure of False possitive sort by count

2) Review incident with highest count

3) Execute the Rule Pattern as a search query and gather the results

4) Review the logs that trigger the Rule

5) Review Rule Triggers 

6) Optimise the Rule, either via exceptions or via cloning the rule and removing triggers. 

7) Utilise Dynamic Watch lists within the rule to optimise further. 

8) Execute the Rule Pattern as a search query verify outcome is correct.

 

S

185
FSM_FTNT
Staff
Staff

Created on ‎07-03-2024 01:18 PM

We need to see what the process is that is causing the read or writes and see if this can be excluded in the default rule.

If you can sanitise and share the raw logs so that we can understand the process or directories we can look further.

24
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.