Documentation Rule Making Using Custom Baseline in FortiSIEM
Looking at system rules that use certain functions like "STAT_AVG" that rely on baseline data in Fortisiem have you have to call a specific value that is contained within the event type used to create the system base line report.
How do you create those values for custom baseline reports? Is that possible?
So for example, the following value "0.5*STAT_AVG(AVG(Event Rate):116)" is used as an aggregate conditions in a system rule. This 116 value appears to reference a baseline report "Reporting EPS Profile" which uses the event type "PH_PROF_ET_116_EPS" as the only attribute value in the report.
Can you only use these pre-built values to create baselines? Can you use STAT_AVG in conjunction with a user created baseline report?
Is there any documentation explaining this process?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.