Fortinet Community

Unlock Exclusive Benefits

Join Our Community Today!

Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!

Support Forum
Knowledge Base
Community Groups
Blogs

FortiSIEM Discussions

Fortinet Community
Community Groups
FortiSIEM
Discussions
Seeking a rule to detect the WindowsLogAgent Disco...

Options

Subscribe to RSS Feed
Mark Topic as New
Mark Topic as Read
Float this Topic for Current User
Bookmark
Subscribe
Mute
Printer Friendly Page

KarlH

Contributor II

Created on ‎04-29-2025 03:49 PM Edited on ‎04-29-2025 03:50 PM

Options

Mark as New
Bookmark
Subscribe
Mute
Subscribe to RSS Feed
Permalink
Print
Report Inappropriate Content

Seeking a rule to detect the WindowsLogAgent Disconnected for 2 hours or more and alert once

I could not find any of the below using the

System Event Category = 2 Query.

Filters: Select the attribute that identifies the Windows Agent heartbeat log. In FortiSIEM’s Event Type browser, find the event type for the agent heartbeat. For example, FortiSIEM categorizes agent heartbeat status under audit events – one common event is “PH_AUDIT_AGENT_RUNNING” (description: Windows/Linux Agent is running and sending events) which the agent sends periodically, and a related event “PH_AUDIT_AGENT_NOTRESPONDING” for when it times outfortinetweb.s3.amazonaws.com. Use the appropriate heartbeat event identifier for your version (e.g. Event Type = PH_AUDIT_AGENT_RUNNING).

Karl Henning, Security Engineer, CISSP

Labels:

Labels:
FortiSIEM

178

0 Kudos

Nominate to Knowledge Base

Nominate a Forum Post for Knowledge Article Creation

Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.

SUBMIT CANCEL

All forum topics
Previous Topic
Next Topic

0 REPLIES 0

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels

Top Labels

Alphabetical

FortiSIEM 167
Parsers 7
Rules 5
ClickHouse 4
fortisiem v7.2.0 4
FortiSIEM v6.x 4
integration 4
API 4
Agent Linux 3
database 3
Agent 3
FortiSIEM Cloud 3
Collector 3
External System Integration 3
FortiGate 3
watchlist 2
FortiAnalyzer 2
Collector Agent 2
Source Code 2
lookuptables 2
FortiSiem 7.1 2
Supervisor 2
SAML 2
CMDB 2
Analytics & Reporting 2
GUI 2
Incidents 2
Rocky Linux 8 1
eventdb 1
Impact 1
Redhat 8 1
OPManager 1
Oracle Linux 8 1
Alma Linux 8 1
"FortiSIEM Incidents" 1
lookups 1
o 1
CMMC 1
Audit 1
RBAC 1
User Control 1
Audit log 1
Reference Files 1
Hi 1
cisco wsa 1
Partnership Inquiry 1
Reference Material 1
FortiClient 1
FortiAuthenticator v5.5 1
FortiSIEM HW 1
upgrade 1
IPsec 1
Migration 1
External Connectors 1
LDAP 1
Report 1
Microsoft Office365 1
Azure 1
Cisco 1
discovery 1
Windows Defender 1
Report-Rules-Dashboards 1
Notifications 1
Expressions 1
Architecture 1
FortiSASE 1
Status 1
MySQL 1
Internet service database 1
Dashboard 1
Usage 1
Certificate 1
enrichement 1

Previous
1 of 8
Next

Top Kudoed Authors

User

Count

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media

Security Research

Threat Research
FortiGuard Labs
Threat Map
Threat Briefs
Ransomware
Getting Started Resources

Company

About Us
Security Fabric
Exec. Mgmt
Careers
Certifications
Events
Industry Awards
Social Responsibility

News & Articles

News Releases
News Articles
Trademarks

Corporate
Community

Terms of Service
Privacy Policy
GDPR
Cookie Settings

You are leaving our website

You are leaving our site and we cannot be held responsible for the content of external websites

Stay Here Continue