Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adem_netsys
Contributor

Created on ‎01-04-2024 04:06 AM

FortiSIEM: Rule sync error

Hello,

 

I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?

Labels:
3987
0 Kudos
1 Solution
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 10:59 AM

yes indeed. As per the documentation:

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

 

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes

View solution in original post

3836
26 REPLIES 26
Richie_C
Staff
Staff

Created on ‎01-05-2024 04:33 AM

Hi 

 

My suggestion would be to export the rules (both default and cloned) from the GUI in XML format. You can then compare the rules in a text editor.

 

My guess is that there is some confusion between the rule name and the Incident title. You can either amend the XML and import the rule or edit the incident title under Define Action > Action.

 

I hope it helps!

Take a backup before making any changes
1697
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-05-2024 04:40 AM

Hi @Richie_C 

first of all thank you for your interest, my other question is about the notification part. Although I added the rules here, I think the notification is not working stable because I want it to send an e-mail every time it is triggered, but it does not do this continuously, I have not encountered such a problem before.

 

Ekran görüntüsü 2024-01-05 153744.pngEkran görüntüsü 2024-01-04 200959.png

1693
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 04:58 AM

I am not aware of anything in the rule that would cause this behaviour.

 

It is possible to check the notification history of an incident.  you should see that the email is sent successfully. Or maybe an error will be displayed. more information can be found here:

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/FortiSIEM_Operations_Incidents_and_Case...

 

Take a backup before making any changes
1682
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 07:51 AM

Im a bit confused. The above screenshot show TCP heavy scan in the top window. But only UDP host scan and windows security log cleared in the bottom window. 

 

Do you have an example with UDP host scan?

Take a backup before making any changes
1654
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-05-2024 08:39 AM

Yes @Richie_C, The reason for the difference between the two is due to the time difference, I took this image before I added them, and since the result did not change after I added them, I did not add a new image.

1643
0 Kudos
Richie_C
Staff
Staff

Created on ‎01-05-2024 04:35 AM

 

incident-title.JPG

Take a backup before making any changes
1694
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-05-2024 05:04 AM

Hi @Richie_C 

 

Obviously, this is the current working rule, I deleted the one I cloned. The rule creates an incident but does not send notifications, and the notifications sent come randomly, not within a certain period of time. For example, two incidents occur, they are available in the notification policy, but one of them comes.

1676
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 05:37 AM

If you are saying that a new incident is triggered, but it does not create an email as configured, then it doesn't sound like normal behaviour. This would probably require a TAC case. 

 

However, if it is the repeat of a previously triggered rule, then by default it would only trigger again after 24 hours.

 

As previously mentioned, you can check the notification history for the incident. 

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/FortiSIEM_Operations_Incidents_and_Case...

 

 

In the latest version 7.1 we can see the history in a nice new view:

 

History.JPG

In the above example we can see successfully triggered notifications. Maybe you will see an error in your system.

Take a backup before making any changes
1667
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-05-2024 07:17 AM

For Example, Normally, since the notification is 1 in 24 hours, if an incident is triggered with the same rule, you expect it to generate mail only 1 time, right, but this is not the case. It can create more than one in the form of Update and as you can see in the image, the same incident header sent a mail in an incident but not here. I'm confused.Ekran görüntüsü 2024-01-05 180940.png

1657
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.