FortiSIEM Discussions
Secusaurus
Contributor II

Your experience with Baseline-Rules?

Hi everyone,

 

I'd just like to exchange thoughts or practices about baseline-focused rules on the FortiSIEM:

At the moment, about 80% of our Incidents are "Sudden increase in ...", as we narrowed down all the other rules to not trigger on False Positives. But there are a lot of cases where we cannot make clever exceptions on baseline-focused rules. E.g. if a user is only one day per week in the office, he will always generate traffic far beyond the 5-day-avarage as soon as he is in office.

 

So, my question would be:

How do you handle these rules? Do you disable them? Did you find filters to get around these situations? Do you switch to ML rules instead? Do your analyst just ignore some Incidents?

 

Our analyst aim to having all Incidents cleared or not happening at all (for the False Positives), so we disable a lot of these baseline-focused ones.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
1 REPLY 1
sioannou
Contributor

Hi Christian, 

 

We are exactly at the same point, we are having internal discussions on how to deal with baseline rules. 

To be honest the optimisation requires modification of the underlying baseline profile otherwise if you add Attributes to the rule or change the filter then it fails to synchronise since there are no matching attributes in the profile. 

 

The discussion we are having right now is to try to expand the attributes in the profile and see where it takes us. We think we can optimise the rules a lot more. The rules in a couple of occasions where very good pointers at the beginning of an attack. That is why the team prefers to investigate all possible avenues before considering disabling the rules. 

 

Also I haven't had a chance to test the new analytics functions of Clickhouse and if they are ported to the Rules or not. If they are available to the rules, I will be more inclined to build a new rule by utilising the functions and taking profiles out of the equation (taking under consideration the impact) with the scheduled rule execution (refer to FortiSIEM 7.1.0 release document for details).  

 

In my view False Positive rate is not a good indicator of disabling a rule, relevance should be the indicator. 

 

Hope it helps, 

 

S

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"