FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
tskandamis
Staff
Staff
Article Id 244055
Description

This article describes how baseline works and some key points to check for troubleshooting.

 

For further information/documentation about the baseline reports/rules, follow the FortiSiem Advanced Analytics training:
Advanced Analytics Training.

Scope Baseline.
Solution

Introduction:

 

Instead of using static hard-coded thresholds at the rules, baselines can be used. Also, baseline reports can be used to query baseline data.

 

The difference with the normal rules and reports is that in the baselines case, the data are not retrieved from the eventdb (online storage), but from the baseline Profile database. Thus, before using baseline reports and rules, it is mandatory to define which data will be saved at the baseline reports. This can be done only at the backend, via the Supervisor CLI. 

 

The baseline data is saved initially at the Daily and then it is moved to Profile databases. At midnight, the data from the Daily database is processed and written to the Profile database. So, baseline rules and reports, query baseline data from the Profile database.

 

Baseline data is recorded for each hour of the day during a weekday (24 entries) and weekend (24 entries). At the end, there are 48 entries of data for each baseline profile.

 

So, the first step, which is the configuration of which data will be saved at the baseline database, is done via the Profile Reports. Each Profile Report has a unique Profile ID and a Profile Event Type. Once the Profile Reports are created and the Profile ID and Profile Event Type are shown, it is possible to create baseline reports and baseline rules. Note, to create the Profile Event Type at.

 

The baseline data can be used by the rule engine to evaluate aggregate conditions in a rule. The rule engine loads the baseline values for each hour from the profile database into the memory and then computes the aggregate condition against the current data. If the result points to an anomaly from the baseline values, then the rule can trigger an incident.

 

Note 1: baselinemate script from the training should not be used on Production. It is created only for training purposes.

 

Note 2: Do not modify Baseline reports/rules, if firstly the necessary changes have not been made at the related Profile Report at /opt/phoenix/data-definition/profile/ProfileReports.xml.

 

Troubleshooting:

 

- Make sure the root partition is not 100% full because this is the location where baseline databases are saved.

- Review any changes to the Profile Reports at /opt/phoenix/data-definition/profile/ProfileReports.xml.

- Ensure that the Profile Event Type is created from the Profile Reports created, at the Admin -> Device Support -> Event Types tab and select the Apply button to save the changes.

 

For example, for profile 152, the Event Type is PH_PROF_ET_152_HTTP_STATUS.


Example: <DataRequest id="152" type="Report" profileET="PH_PROF_ET_152_HTTP_STATUS" numRows="10000">

 

- Once done with the modifications (each time the /opt/phoenix/data-definition/profile/ProfileReports.xml is modified), restart on Super and on Workers: phReportMaster, phReportWorker, phQueryMaster, phQueryWorker, phRuleWorker, phRuleMaster.

 

- Send logs to FortiSiem for the baseline profile created at different times to fill more than one entry at the Daily/Profile databases (note: there is 1 entry every hour).

 

- Check for data daily.db (it is updated every hour).

 

Example:

 

sqlite3 /opt/phoenix/cache/daily.db
.tables
select * from profile_152;

 

- Check for data on profile.db (it is updated every midnight).

 

Example:

 

sqlite3 /opt/phoenix/cache/profile.db
.tables
select * from profile_152;

 

- Ensure that the data has been collected, via the hourly report files (after midnight).

 

Report File example:


/data/eventdb/CUSTOMER_1/profile_report/i3600/<dateDirecotory>/REPT_1_1630454400_1630457999_1630458600.rpt

 

Read a Report File:


/opt/phoenix/bin/PrintReportFile REPT_1_1630454400_1630457999_1630458600.rpt