Hello,
I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
yes indeed. As per the documentation:
https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm
"Notifications will be sent only if an incident occurs during the time range you set here."
Hi
My suggestion would be to export the rules (both default and cloned) from the GUI in XML format. You can then compare the rules in a text editor.
My guess is that there is some confusion between the rule name and the Incident title. You can either amend the XML and import the rule or edit the incident title under Define Action > Action.
I hope it helps!
Hi @Richie_C
first of all thank you for your interest, my other question is about the notification part. Although I added the rules here, I think the notification is not working stable because I want it to send an e-mail every time it is triggered, but it does not do this continuously, I have not encountered such a problem before.
I am not aware of anything in the rule that would cause this behaviour.
It is possible to check the notification history of an incident. you should see that the email is sent successfully. Or maybe an error will be displayed. more information can be found here:
Im a bit confused. The above screenshot show TCP heavy scan in the top window. But only UDP host scan and windows security log cleared in the bottom window.
Do you have an example with UDP host scan?
Yes @Richie_C, The reason for the difference between the two is due to the time difference, I took this image before I added them, and since the result did not change after I added them, I did not add a new image.
Hi @Richie_C
Obviously, this is the current working rule, I deleted the one I cloned. The rule creates an incident but does not send notifications, and the notifications sent come randomly, not within a certain period of time. For example, two incidents occur, they are available in the notification policy, but one of them comes.
If you are saying that a new incident is triggered, but it does not create an email as configured, then it doesn't sound like normal behaviour. This would probably require a TAC case.
However, if it is the repeat of a previously triggered rule, then by default it would only trigger again after 24 hours.
As previously mentioned, you can check the notification history for the incident.
In the latest version 7.1 we can see the history in a nice new view:
In the above example we can see successfully triggered notifications. Maybe you will see an error in your system.
For Example, Normally, since the notification is 1 in 24 hours, if an incident is triggered with the same rule, you expect it to generate mail only 1 time, right, but this is not the case. It can create more than one in the form of Update and as you can see in the image, the same incident header sent a mail in an incident but not here. I'm confused.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1081 | |
752 | |
446 | |
224 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.