FortiSIEM: Rule sync error

adem_netsys · ‎01-04-2024

Hello,

I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?

Richie_C · ‎01-05-2024

yes indeed. As per the documentation:

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes

View solution in original post

Richie_C · ‎01-05-2024

Hi

My suggestion would be to export the rules (both default and cloned) from the GUI in XML format. You can then compare the rules in a text editor.

My guess is that there is some confusion between the rule name and the Incident title. You can either amend the XML and import the rule or edit the incident title under Define Action > Action.

I hope it helps!

Take a backup before making any changes

adem_netsys · ‎01-05-2024

Hi @Richie_C

first of all thank you for your interest, my other question is about the notification part. Although I added the rules here, I think the notification is not working stable because I want it to send an e-mail every time it is triggered, but it does not do this continuously, I have not encountered such a problem before.

Richie_C · ‎01-05-2024

I am not aware of anything in the rule that would cause this behaviour.

It is possible to check the notification history of an incident. you should see that the email is sent successfully. Or maybe an error will be displayed. more information can be found here:

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/FortiSIEM_Operations_Incidents_and_Case...

Take a backup before making any changes

Richie_C · ‎01-05-2024

Im a bit confused. The above screenshot show TCP heavy scan in the top window. But only UDP host scan and windows security log cleared in the bottom window.

Do you have an example with UDP host scan?

Take a backup before making any changes

adem_netsys · ‎01-05-2024

Yes @Richie_C, The reason for the difference between the two is due to the time difference, I took this image before I added them, and since the result did not change after I added them, I did not add a new image.

Richie_C · ‎01-05-2024

Take a backup before making any changes

adem_netsys · ‎01-05-2024

Hi @Richie_C

Obviously, this is the current working rule, I deleted the one I cloned. The rule creates an incident but does not send notifications, and the notifications sent come randomly, not within a certain period of time. For example, two incidents occur, they are available in the notification policy, but one of them comes.

Richie_C · ‎01-05-2024

If you are saying that a new incident is triggered, but it does not create an email as configured, then it doesn't sound like normal behaviour. This would probably require a TAC case.

However, if it is the repeat of a previously triggered rule, then by default it would only trigger again after 24 hours.

As previously mentioned, you can check the notification history for the incident.

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/FortiSIEM_Operations_Incidents_and_Case...

In the latest version 7.1 we can see the history in a nice new view:

In the above example we can see successfully triggered notifications. Maybe you will see an error in your system.

Take a backup before making any changes

adem_netsys · ‎01-05-2024

For Example, Normally, since the notification is 1 in 24 hours, if an incident is triggered with the same rule, you expect it to generate mail only 1 time, right, but this is not the case. It can create more than one in the form of Update and as you can see in the image, the same incident header sent a mail in an incident but not here. I'm confused.