Technical Tip: Handling Incidents Triggered by Del...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 389315

Description

This article describes that despite deletion, the incident continues to trigger, indicating the rule might still exist in an older version of the FortiSIEM or is cached in the incident system.

Scope

FortiSIEM.

Solution

Verify Rule Deletion in Database. Use the following command to check if the rule still exists in the ph_drq_rule table in the database:

psql -U phoenix phoenixdb -c "select * from ph_drq_rule" --csv > /tmp/allrules.csv

Open the exported CSV file (/tmp/allrules.csv). Search for the rule name to confirm whether it exists in the current database. If the rule is not found in the database, proceed to the next step.

Sometimes, even after deletion from the database, a rule might still exist in a previous version of the FortiSIEM and continue to trigger incidents.

To stop this:

Navigate to the incident page where the specific incident is listed.
Locate and select the incident that is being triggered by the deleted rule.
Select 'Actions'.
Choose Disable Rule.

Once the rule is disabled from the incident interface, no further incidents should be triggered from the deleted rule.

Maintain an updated list of active rules to avoid confusion by running below command:

psql -U phoenix phoenixdb -c "select * from ph_drq_rule where active = 't';" --csv > /tmp/enablerule.csv

254

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Handling Incidents Triggered by Deleted Rules

You are leaving our website