FortiSIEM Discussions

The rule doesn't create incident Issue

Hi everyone,


i created the rule when I run the query, I observe that the event occurs, but it did not create an incident. What could be the reason for this?

Ekran görüntüsü 2024-01-16 160315.png

Ekran görüntüsü 2024-01-16 160157.png

Ekran görüntüsü 2024-01-16 160216.png



Hard to say without seeing a raw syslog message to test... can you provide?


A couple of comments on the rule itself ...


1) Check the rule is enabled

2) No need to group by Event Type here .. as the rule itself is only looking for a specific event type in the pattern

3) Possibly the same for Reporting IP also

I'd usually set the below If I was using it for the incident attributes :

Event Attribute - Subpattern - Filter Attribute

Destination IP - Filter_1 - Reporting IP





Rule active, yes. The reason why I group the event type here is that I can understand the subject through the event type when I run the query.
Why would you make reporting ip as destination?


It is covered in the NSE7 training, which covers rules in more depth and I think it provides a hand out of the incident attribute mappings.


Basically, from the incident attributes .. FortiSIEM will determine what is the Incident Source / Target and Detail to display in the Incident Dashboard.


Targets are Destination IP, Host IP, etc (but not Reporting IP .. hence why you can overwrite)..

Sources are Source IP etc..

Details is any other value that does not match Src/Target


Check the rule "Account Locked: Network Device" as an example.




Hi @cdurkin_FTNT 


I did it this way but it has not changed this time too


Ok, just post the full raw message below and sanitize as needed, and I will look to  test/produce a rule for you.


Hi @cdurkin_FTNT 


Unfortunately, I cannot share the full raw message. However, if you have forti firewalle, raw messages will sound the same. It comes as object-attribute-message.


Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"