- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM alerts classification
Hi, how is it possible to classify alerts coming from FortiSIEM (or coming from other)? I would like to be able to decide, based on the contents of a field, which playbook to activate. I can do this in a playbook that identifies the type of alerts and activates the corresponding subplaybooks. Is there a better way?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In FortiSIEM there is the option of Tags (Admin -> Settings -> Analytics -> Tags)
You can add as many tags as you want to a Rule (Rules -> Define Action section). You can utilise the tags to steer your playbook decision making.
Also the MITRE ATT&CK technique might be an option here as well. But tags is the easiest and most effective way.
NOTE: The tags where removed from the API in some versions but was re-introduced in version 7.1.X I think. You can check FNDN.
Regards,
S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@crimali , you need to do two things
1) as part of Ingestion, ensure appropriate Type is mapped to corresponding SIEM Rule
2) Create an Indvidual playbook for responding to each such type.
For this usecase playbook, ensure the Trigger is per the attached image.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In FortiSIEM there is the option of Tags (Admin -> Settings -> Analytics -> Tags)
You can add as many tags as you want to a Rule (Rules -> Define Action section). You can utilise the tags to steer your playbook decision making.
Also the MITRE ATT&CK technique might be an option here as well. But tags is the easiest and most effective way.
NOTE: The tags where removed from the API in some versions but was re-introduced in version 7.1.X I think. You can check FNDN.
Regards,
S
![](/skins/images/EC12350B26E3A30E8BDB0075C9F4DA72/responsive_peak/images/icon_anonymous_message.png)