FortiSIEM: Rule sync error

adem_netsys · ‎01-04-2024

Hello,

I cloned the existing "Windows Security Log Cleared" rule in the rules and created it in a new name, only I made the within value 120, not 600, and made the rule in the default disable. However, this time, when the rule was triggered, it created an incident with the name in the default and gave a sync error error in the rule. What could be the reason?

Richie_C · ‎01-05-2024

yes indeed. As per the documentation:

https://help.fortinet.com/fsiem/7-1-1/Online-Help/HTML5_Help/Notification_Settings.htm

"Notifications will be sent only if an incident occurs during the time range you set here."

Take a backup before making any changes

View solution in original post

adem_netsys · ‎01-20-2024

Hi everyone,

Obviously, I'm not sure what's causing it. I added an incident header with a different name but I still get a timed out error. I look at the services and they all look normal.

Richie_C · ‎01-20-2024

Its difficult to know exactly what is happening. Could export the rule and share it? Also share a log that should trigger it. Change any sensitive information before sharing. I will try it in my lab when i have some spare time.

Take a backup before making any changes

adem_netsys · ‎01-20-2024

Hi @Richie_C

I couldn't share the xml log. I got the related images.

Richie_C · ‎01-21-2024

@adem_netsys - It tested successfully in my lab (version 7.1.1).

I found a couple of tests events from the web:

Jun 12 14:38:03.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/50, changed state to down
Jun 12 14:38:22.644: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/50, changed state to up

I configured the rule as per your screenshots. I replayed the events and it triggered as expected.

The rule was configured as follows:

<?xml version="1.0" encoding="UTF-8"?><rules><DataRequest functionCategory="Other" mode="Streaming"><Name>Cisco Interface State Change</Name><Description>A test to monitor the state change  of an interface on a Cisco IOS device</Description><Remediation/><DataSource/><DetectionTechnology>Correlation</DetectionTechnology><PatternClause window="300">
<SubPattern id="1366161" name="Filter_1">
<SingleEvtConstr>reptDevIpAddr=1.2.3.4 AND (eventType="IOS-LINEPROTO-UPDOWN-TO-UP" OR eventType="IOS-LINEPROTO-UPDOWN-TO-DOWN")</SingleEvtConstr>
<GroupEvtConstr>COUNT(*)&gt;=1</GroupEvtConstr>
<GroupByAttr>reptDevIpAddr,eventType,eventName,intfName</GroupByAttr>
</SubPattern>
</PatternClause><IncidentDef eventType="Cisco_Interface_State_Change" eventTypeGroup="PH_SYS_EVENT_PH_RULE" fireFreq="3600" severity="1">
<ArgList>destIpAddr=Filter_1.reptDevIpAddr,compEventType=Filter_1.eventType,eventName=Filter_1.eventName,intfName=Filter_1.intfName</ArgList>
</IncidentDef><DynWatchLists/><TriggerEventDisplay>
<AttrList>phRecvTime,eventType,reptDevIpAddr,rawEventMsg,eventName,intfName</AttrList>
</TriggerEventDisplay><IncidentTitle>$destIpAddr Test</IncidentTitle></DataRequest></rules>

I hope it helps.

Take a backup before making any changes

adem_netsys · ‎01-21-2024

Hi @Richie_C

First of all, I wanna thank you for interest.

When I examined it, I couldn't see much difference, what is the difference or is there a problem with my version?

Richie_C · ‎01-22-2024

I tried to copy your rule as closely as I could. It is impossible to know the difference without seeing your XML and test events.

Take a backup before making any changes

adem_netsys · ‎01-22-2024

Obviously,

frankly, I'm also having a problem with not dropping an incident when creating a new rule. i see that an event has occurred, but it doesn't turn into an incident. have you experienced this before?