How to import MISP data threat feeds in to FortiSIEMNote: requires "jq"
to be installed on the Supervisor node. wget -O jq
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64chmod
+x ./jqcp jq /usr/bin
The way to check would be under Admin -> Setup -> Storage / Online and
look the Event Database. if this is EventDB then your only option would
be a parser modification to extract the value.
Thank you. If you are using ClickHouse as the database you can use the
EXTRACT function as follows in a Display Field.. EXTRACT(Raw Event Log,
"Relying Party: (.*?\n)")This should give you what you need in a field,
and then you can add the COUNT.
It is covered in the NSE7 training, which covers rules in more depth and
I think it provides a hand out of the incident attribute mappings.
Basically, from the incident attributes .. FortiSIEM will determine what
is the Incident Source / Target and D...