Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PaulHolg
New Contributor II

FortiSIEM Analytics Search for a certain time period, over a period of time.

Say for example...I want to run a search in Analytics that match a certain raw log phrase, for a given period of time over a period of time?  For example...all logs that show login connections, that occur between "Saturday at 5am and Sunday at Midnight" ; over the past 60 days ; to see all users who were logging in during the weekends.  

 

OR ...  even a method to trigger an incident or event that is thrown during a weekend time period, or "off hours" type time period, without having to provide a specific one time date range. 

 

 

Thanks for any assistance..

8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Hello Paul,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Jean-Philippe_P
Moderator
Moderator

Hello PaulHolg,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Moderator
Moderator

Hello PaulHolg,

 

I found this document:

https://help.fortinet.com/fsiem/6-7-0/Online-Help/HTML5_Help/Understanding_search_components.htm?Hig...


Could you please tell me if it helped?

 


If not, we will find another solution to reply to your answer.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Richie_C
Staff
Staff

Hi PaulHolg

 

One idea would be to configure a time based exception on the rule. For example, you can configure the rule not trigger during business hours. It is possible to have multiple exceptions.

 

https://help.fortinet.com/fsiem/7-0-1/Online-Help/HTML5_Help/Creating-rules.html?Highlight=exception...

 

I hope it helps!

 

Take a backup before making any changes
PaulHolg
New Contributor II

Thanks, looking at this now.  I do not see a method in the Rule Exceptions -> Define Schedule to set timeframes that the rule would not be active.. There are days and dates, and ranges and durations.  I'm not finding a place where I can tell it not to run during a certain time frame, every day.   Please advise,  Thanks for your assistance

Richie_C

Hey PaulHolg

 

The following screenshot is an example of a time based exception to run from 9am every day for 9 hours. This would mean that the rule would not trigger between 9am and 6pm every day of the week and every month of the year. 

 

I hope that answers your question.

Take a backup before making any changes
PaulHolg
New Contributor II

Thank you very much, I will give this a try.  

Richie_C

Hi PaulHolg

 

I just thought you might be interested in the new feature in the latest release (7.1.0). The new feature allows you to schedule rules:

 

https://docs.fortinet.com/document/fortisiem/7.1.0/release-notes/671235/whats-new-in-7-1-0#Schedule2

 

The caveat is that your event storage type must be clickhouse.

 

Thanks

Richard

Take a backup before making any changes
Top Kudoed Authors