Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adem_netsys
Contributor

Created on ‎01-04-2024 04:06 AM

FortiSIEM: Rule sync error

Hello,

 

I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?

Labels:
2068
0 Kudos
1 Solution
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 10:59 AM

yes indeed. As per the documentation:

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

 

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes

View solution in original post

1917
26 REPLIES 26
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 07:58 AM

It will trigger once in 24 hours if the incident is the same. For example, the source IP is the same. It will simply update the count. you can change this timer to send another notification more or less often.

 

If it is a different source, this should create a new incident and the notification should be sent for the new incident. If this is not happening it is probably either a config issue, issue sending emails, or a bug. 

Take a backup before making any changes
777
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-05-2024 08:41 AM

As I think I understand, the fact that the time range remains as "any" confirms that we expect it to send mail in every different trigger, right?

767
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-05-2024 10:59 AM

yes indeed. As per the documentation:

 

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

 

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes
1918
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-09-2024 09:19 AM

Hi @Richie_C 

What is the logic of the "If this Pattern occurs within 600" part in Rule 2.define, is it related to the notification time?

743
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-09-2024 09:43 AM

Hi @adem_netsys - This is a sliding window of time that FortiSIEM will evaluate the specific rule over.

 

Its difficult to explain concisely here, but it is well explained in the advanced analytics course on the NSE institute.

 

One thing that is important with this setting is not to be too aggressive as it can consume a lot of memory.

Take a backup before making any changes
739
0 Kudos
adem_netsys
Contributor
In response to Richie_C

Created on ‎01-09-2024 09:44 AM

Setting the time period here has nothing to do with the notification period, do I understand correctly?

737
0 Kudos
Richie_C
Staff
Staff
In response to adem_netsys

Created on ‎01-09-2024 09:56 AM

No it doesn't relate to the notification period.

Take a backup before making any changes
735
0 Kudos
dmontgomery
New Contributor III
In response to Richie_C

Created on ‎01-16-2024 07:00 AM

I am not sure what the link has to do with the issue described. I am seeing the same behaviour.

We cloned one of the system rules that was triggery a High severity alert incident. We changed the severity to low and deactivated the system rule. The System rule continues to triger high severity alerts and on the rule tab we see sync errors - timed out. See screenshot. We are not using notifications for this incident.

What is it trying to sync with and why is it behaving this way? sync errors.png

660
0 Kudos
Richie_C
Staff
Staff
In response to dmontgomery

Created on ‎01-17-2024 05:05 AM

Hi @dmontgomery 

This conversation moved away from the initial question. In the past, some of the reasons i have seen for the issue described is as follows:

 

  • Bad rule logic (unlikely as you are only cloning an existing rule)
  • Performance related (CPU, memory, swap memory)
  • Related to workers (if you have any. Information is shared between workers and super)

I did a quick test in my lab (7.1.1) and i was able to successfully clone a rule. I did the following:

 

  • Cloned the rule
  • Changed the name
  • Changed the severity
  • Changed the incident title
  • Cleared the existing incidents

After this, I could see the events with new title and severity.

 

Regards

Take a backup before making any changes
631
0 Kudos
dmontgomery
New Contributor III
In response to Richie_C

Created on ‎01-17-2024 06:50 AM

It was probably performance related. I had unrelated (I thought) issue and I rebooted the super. It resolved this and the other issue I had.

624
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.