|
Depending on the situation, it may be required to remove a rule from the command line interface on the super FortiSIEM node. Here are the steps:
- Identify the rule and its ID: Connect to the super on SSH, identify the rule name and rule ID with the following command (replace what is in the middle of '%%' by the searched rulename):
psql -U phoenix phoenixdb -c "select id,name, to_timestamp(creation_time/1000) as creation_time, cust_org_id, to_timestamp(last_modified_time/1000) as last_modified_time, to_timestamp(activated_time/1000) as activated_time, active from ph_drq_rule where name ilike '%account locked: Domain%';"
id | name | creation_time | cust_org_id | last_modified_time | activated_time | active
---------+---------------------------------+------------------------+-------------+------------------------+----------------+--------
4791560 | Account Locked: Domain 4/2/2025 | 2025-04-02 12:00:07+00 | 0 | 2025-04-02 12:00:08+00 | | f
991201 | Account Locked: Domain | 2025-01-31 11:02:47+00 | 0 | 2025-03-12 11:31:43+00 | | f
(2 rows)
Make sure this is the correct rule, and note the ID from the following commands.
- Delete the rule:
psql -U phoenix phoenixdb -c "delete from ph_drq_rule2event_filter where rule_id=4791560;"
psql -U phoenix phoenixdb -c "delete from ph_drq_rule2technique where rule_id=4791560;"
psql -U phoenix phoenixdb -c "delete from ph_dwl_rule_mapping where rule_id=4791560;"
psql -U phoenix phoenixdb -c "delete from ph_test_event where rule_id=4791560;"
psql -U phoenix phoenixdb -c "delete from ph_drq_rule where id=4791560;"
If the rule was active, to apply the new rule list, it will be required to do some other modifications in another activated rule in the GUI or restart the application server with:
kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)
|
