Hi Team,
Let say from SIEM Q-Radar we received an offense "ATTACK SIGNATURES OBSERVED BY IPS FROM EXTERNAL SOURCE" and the same offense has triggered for same customer with same entities again after 1 hour.. now we want to club the offenses with below parameters
[[
When same offense trigger
with same entities
under same tenant
for next 6 hours
club all of such in one alert and playbook should only run on the first offense recorded in the alert
]]
How can we achieve this ?
Regards,
Shashank
You can use Pre/Post Processing Rules feature that was introduced in v7.5.0
FortiSOAR includes a rule-based pre-processing feature that is activated before incoming records are stored in the database, providing the flexibility to make decisions such as dropping records based on predefined criteria. Additionally, the implementation of a post-processing rule improves record management by linking similar records based on specified similarity criteria. This post-processing rule enables intelligent linking of records, reduces reliance on resource-intensive playbooks and optimizes system performance. In summary, these rule-based pre- and post-processing features enhance the control and efficiency of the SOAR platform.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.