Hi everyone,
i created the rule when I run the query, I observe that the event occurs, but it did not create an incident. What could be the reason for this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hard to say without seeing a raw syslog message to test... can you provide?
A couple of comments on the rule itself ...
1) Check the rule is enabled
2) No need to group by Event Type here .. as the rule itself is only looking for a specific event type in the pattern
3) Possibly the same for Reporting IP also
I'd usually set the below If I was using it for the incident attributes :
Event Attribute - Subpattern - Filter Attribute
Destination IP - Filter_1 - Reporting IP
Rule active, yes. The reason why I group the event type here is that I can understand the subject through the event type when I run the query.
Why would you make reporting ip as destination?
It is covered in the NSE7 training, which covers rules in more depth and I think it provides a hand out of the incident attribute mappings.
Basically, from the incident attributes .. FortiSIEM will determine what is the Incident Source / Target and Detail to display in the Incident Dashboard.
Targets are Destination IP, Host IP, etc (but not Reporting IP .. hence why you can overwrite)..
Sources are Source IP etc..
Details is any other value that does not match Src/Target
Check the rule "Account Locked: Network Device" as an example.
Ok, just post the full raw message below and sanitize as needed, and I will look to test/produce a rule for you.
Unfortunately, I cannot share the full raw message. However, if you have forti firewalle, raw messages will sound the same. It comes as object-attribute-message.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.