Hi everyone, I'd just like to exchange thoughts or practices about
baseline-focused rules on the FortiSIEM:At the moment, about 80% of our
Incidents are "Sudden increase in ...", as we narrowed down all the
other rules to not trigger on False Positiv...
Hello everyone, We are continuously experiencing the incident "High
performance monitoring delay from Collector or Worker SIEM Supervisor"
on our FortiSIEM platform. That one is triggered as soon as the Event
Type "PH_DEV_MON_PERFMON_ALL_DEVICE_DELAY...
Dear Community support, I've had a custom avatar image a while (think,
I've set this two-three years ago) and tried to update it recently. But
my finger was too fast, so I got one of the "community avatars" now.Now,
my question is: How can set a cust...
Hello all, We are in discussion with a customer that likes to host the
FortiSIEM on prem but considers moving to our
multi-tenant-cloud-environment some day in future.As we are just setting
up the SIEM, I would like to build the environment in a way ...
Dear community, Maybe anyone else already wrapped his/her around this on
FortiSIEM:I am looking for an aggregation function in the
analytics/report generation that behaves like the SQL "concat" command,
meaning writing all the values of all rows into...
Hello Ali, I am sorry, but I don't understand your question here.You can
only clear manually, so the auto-clear (ML or clear-condition cleared
it) and system-clear (one day after incident happened) is just something
to get you better understanding ab...
Hi Muhammed, I see, you asked for other values than days, weeks or
months - not for where to change it. Concerning "never": You can set it
to expire in 99999 months. That's not exactly "never" but very close to
it.For shorter values, I assume, this i...
Hi Muhammed, As far as I know, you cannot change it on the predefined
lists. You may only pick the items in it and change their expiration
manually.But you can define your own watchlists. When creating or
changing a custom one, you can define the val...
Hello Ali, Your questions are covered in the NSE training for FortiSIEM
(FCP): Event Database: Stores the events in an organized way, including
the raw logs.CMDB (Configuration Management Database): Stores the
configuration of your SIEM: The things t...
Hi @yadde, Just one side-note: In our SOC (currently on FSM v7.1.3) our
analysts obviously trained the ai enough to sort out a lot of false
positives already; they make use of the "Incident Resolution
Recommendation", see:
https://help.fortinet.com/f...