FortiSIEM Analytics Search for a certain time period, over a period of time.

PaulHolg · ‎07-17-2023

Say for example...I want to run a search in Analytics that match a certain raw log phrase, for a given period of time over a period of time? For example...all logs that show login connections, that occur between "Saturday at 5am and Sunday at Midnight" ; over the past 60 days ; to see all users who were logging in during the weekends.

OR ... even a method to trigger an incident or event that is thrown during a weekend time period, or "off hours" type time period, without having to provide a specific one time date range.

Thanks for any assistance..

Anthony_E · ‎07-20-2023

Hello Paul,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Jean-Philippe_P · ‎07-24-2023

Hello PaulHolg,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎07-25-2023

Hello PaulHolg,

I found this document:

https://help.fortinet.com/fsiem/6-7-0/Online-Help/HTML5_Help/Understanding_search_components.htm?Hig...

Could you please tell me if it helped?

If not, we will find another solution to reply to your answer.

Thanks,

Jean-Philippe - Fortinet Community Team

Richie_C · ‎08-02-2023

Hi PaulHolg

One idea would be to configure a time based exception on the rule. For example, you can configure the rule not trigger during business hours. It is possible to have multiple exceptions.

https://help.fortinet.com/fsiem/7-0-1/Online-Help/HTML5_Help/Creating-rules.html?Highlight=exception...

I hope it helps!

Take a backup before making any changes

PaulHolg · ‎10-24-2023

Thanks, looking at this now. I do not see a method in the Rule Exceptions -> Define Schedule to set timeframes that the rule would not be active.. There are days and dates, and ranges and durations. I'm not finding a place where I can tell it not to run during a certain time frame, every day. Please advise, Thanks for your assistance

Richie_C · ‎10-24-2023

Hey PaulHolg

The following screenshot is an example of a time based exception to run from 9am every day for 9 hours. This would mean that the rule would not trigger between 9am and 6pm every day of the week and every month of the year.

I hope that answers your question.

Take a backup before making any changes

PaulHolg · ‎10-24-2023

Thank you very much, I will give this a try.

Richie_C · ‎11-16-2023

Hi PaulHolg

I just thought you might be interested in the new feature in the latest release (7.1.0). The new feature allows you to schedule rules:

https://docs.fortinet.com/document/fortisiem/7.1.0/release-notes/671235/whats-new-in-7-1-0#Schedule2

The caveat is that your event storage type must be clickhouse.

Thanks

Richard

Take a backup before making any changes

FortiSIEM Analytics Search for a certain time period, over a period of time.

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website