Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
froslan
Staff
Staff

Created on ‎10-30-2025 11:34 PM

Article Id 417277

Troubleshooting Tip: How to Test a 'NOT FOLLOWED BY' Rule with Multiple Events and a Time Frame

Description

 

This article explains how to test a correlation rule that uses the NOT FOLLOWED BY operator in FortiSIEM to verify that the rule triggers incidents correctly when the second event does not occur within a defined time frame.

 

Scope

 

FortiSIEM.

 

Solution

 

Step 1: Insert the raw event logs in Rule Debug Event. The Reporting IP will be 127.0.0.1 since the event is injected directly from the GUI.

 

image.png

 

Note:

There is no need to modify the timestamp in the raw event log, as the test will only consider the time pause (sec) defined between Event 1 and Event 2.

 

Step 2: Set the time pause value. If Event 2 is not received within 2 minutes, the incident should be triggered. Enter 120 seconds for the second event in the time field.

 

Step 3: Run the rule test. The results will be displayed on the right side of the dashboard. The corresponding test incident will appear on the Incident page even if the rule has not been activated.

 

image.png

54
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.