Help
FortiSOAR Discussions
Varsha1
New Contributor II

Created on ‎06-03-2024 11:28 PM

Clubbing of same type of offenses under same alerts

Hi Team,

 

Let say from SIEM Q-Radar we received an offense "ATTACK SIGNATURES OBSERVED BY IPS FROM EXTERNAL SOURCE"  and the same offense has triggered for same customer with same entities again after 1 hour.. now we want to club the offenses with below parameters 

 

[[

When same offense trigger

with same entities

under same tenant

for next 6 hours

club all of such in one alert and playbook should only run on the first offense  recorded in the alert

]] 

 

How can we achieve this ? 

 

Regards,

Shashank

110
0 Kudos
1 REPLY 1
anarula
Staff
Staff

Created on ‎06-04-2024 01:50 AM

You can use Pre/Post Processing Rules feature that was introduced in v7.5.0

 

  • FortiSOAR includes a rule-based pre-processing feature that is activated before incoming records are stored in the database, providing the flexibility to make decisions such as dropping records based on predefined criteria. Additionally, the implementation of a post-processing rule improves record management by linking similar records based on specified similarity criteria. This post-processing rule enables intelligent linking of records, reduces reliance on resource-intensive playbooks and optimizes system performance. In summary, these rule-based pre- and post-processing features enhance the control and efficiency of the SOAR platform.

CTO (SOAR Business) | VP of Engineering
88
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.