The rule doesn't create incident Issue

adem_netsys · ‎01-17-2024

Hi everyone,

i created the rule when I run the query, I observe that the event occurs, but it did not create an incident. What could be the reason for this?

cdurkin_FTNT · ‎01-17-2024

Hard to say without seeing a raw syslog message to test... can you provide?

A couple of comments on the rule itself ...

1) Check the rule is enabled

2) No need to group by Event Type here .. as the rule itself is only looking for a specific event type in the pattern

3) Possibly the same for Reporting IP also

I'd usually set the below If I was using it for the incident attributes :

Event Attribute - Subpattern - Filter Attribute

Destination IP - Filter_1 - Reporting IP

adem_netsys · ‎01-17-2024

@cdurkin_FTNT

Rule active, yes. The reason why I group the event type here is that I can understand the subject through the event type when I run the query.
Why would you make reporting ip as destination?

cdurkin_FTNT · ‎01-17-2024

It is covered in the NSE7 training, which covers rules in more depth and I think it provides a hand out of the incident attribute mappings.

Basically, from the incident attributes .. FortiSIEM will determine what is the Incident Source / Target and Detail to display in the Incident Dashboard.

Targets are Destination IP, Host IP, etc (but not Reporting IP .. hence why you can overwrite)..

Sources are Source IP etc..

Details is any other value that does not match Src/Target

Check the rule "Account Locked: Network Device" as an example.

adem_netsys · ‎01-18-2024

Hi @cdurkin_FTNT

I did it this way but it has not changed this time too

cdurkin_FTNT · ‎01-18-2024

Ok, just post the full raw message below and sanitize as needed, and I will look to test/produce a rule for you.

adem_netsys · ‎01-20-2024

Hi @cdurkin_FTNT

Unfortunately, I cannot share the full raw message. However, if you have forti firewalle, raw messages will sound the same. It comes as object-attribute-message.