Adding Widgets to Dashboards

1. Navigate to the widget dashboard where you want to add the widget.
2. At the bottom of the dashboard click Add Reports to Dashboard.
3. For multi-tenant deployments, select the Organization that you want to have access to the report.
4. Select a Category for the type of report you want to add.
5. Under Available Reports, select the report you want to add, and then click the >> button to add it to the Selected Reports.
6. Click OK.

To add CMDB Reports, select from the CMDB Reports folder in Step 5.

Creating a Customized Dashboard

You can create both Summary and Widget custom dashboards.

1. In the Dashboard tab, select My Dashboard in the General
2. At the top of the General view, click the +
3. Enter a Group to categorize the dashboard, and a Description.
4. Select a Dashboard Type.
5. Click OK.

The dashboard will be added under My Dashboard.

6. Select the dashboard.
7. For a Device Summary Dashboard, click Devices at the top of the dashboard and select the devices you want to add to the dashboard.
8. For a Widget Dashboard, click Add Reports to Dashboard, and then select the reports you want to add.

Setting a Dashboard to Home

You can set any system or user-defined dashboard to be your home page when you log into FortiSIEM.

1. In the Dashboard view, select the dashboard you want to set for your home page.
2. At the top of the General view of the dashboards, click the Home

The Home icon will be filled in rather than greyed out, and the next time you log into FortiSIEM, the page you selected will be your home page.

Creating Dashboard Slideshow

Exporting and Importing Dashboards

It is possible to export and then import the following types of widget dashboards

My Dashboard

Availability/Performance > Avail/Perf Widgets

Biz Svc Dashboard

Dashboards By Function

To export a dashboard

Go to a specific dashboard folder Click Export on top right portion An XML file will be created and saved.

To import a dashboard, first have the XML file ready

Go to a specific dashboard folder

Click Import on top right portion

Provide the dashboard file in XML format

Link Usage Dashboard

For perimeter network devices such as firewalls and routers, it is important to know which interfaces are busy and which traffic is consuming the most resources. This special dashboard provides this view and enables users to determine which router interfaces are overly utilized, which applications are using them and what is the QoS statistics.

Dashboards – HTML5 version

FortiSIEM includes two types of dashboards:

Summary dashboards that shows multiple metrics for the device in a single line. This enables users to see multiple metrics of the same device in one view.

Widget dashboards that provide separate views of each metric. This enables to see critical devices for a metric at a time.

Multiple dashboards can be grouped into a folder. User first needs to choose the dashboard folder and then select the dashboard within that folder.

Viewing System Dashboards

FortiSIEM provides several built-in dashboard folders covering many functional areas:

Infrastructure level

Network Dashboard

Server Dashboard

VMWare Dashboard

Web Server Dashboard

Application Server dashboard

Cloud Infrastructure level

Amazon Web Services Dashboard

Security Dashboard

Storage level

NetApp Dashboard

VNX Dashboard

Application level

Salesforce Dashboard

Office 365 Dashboard

Google Apps Dashboard

FortiSIEM Dashboard

To view these dashboards

1. Logon to FortiSIEM
2. Switch to the right organization (for Service Provider version)
3. Click Dashboard tab on the main user interface
4. Select the appropriate dashboard folder from the drop down. The dashboards belonging to the selected folder will show and the contents of the first dashboard will display automatically.
5. Select the appropriate dashboard to see its contents.

Creating New Dashboards

Creating a new dashboard folder

Creating a new dashboard within a folder

Adding reports to a widget dashboard

Adding devices to a summary dashboard

Make sure that you are logged on to the right organization (for Service Provider version).

Creating a new dashboard folder

1. Click on the dashboard folder menu and Select
2. Enter the name of the new dashboard folder
3. The new dashboard will show

Creating a new dashboard within a folder

1. Click on the icon on the top bar
2. Enter the following information
   1. Name – the name of the dashboard
   2. Type – Widget or Summary dashboard
   3. Description
3. Click Save

Adding reports to a widget dashboard

1. Click on the icon on the left under the dashboard name
2. Select the report and it will highlight
3. Drag the report to the dashboard and the results will show 4. To customize the chart settings, see here.

To add a CMDB Report, simply add from the CMDB Report folder in Step 2.

Adding devices to a summary dashboard

1. Click on the icon on the top menu bar
2. Select the device(s) and move them to the right pane by clicking the button
3. Click OK
4. To customize the columns, see here

Deleting Dashboards

Note that built-in dashboard folders and dashboards can not be deleted.

Deleting user defined dashboards

1. Click on the button next to the dashboard
2. Click OK

Deleting user defined dashboard folders

1. Click on the button next to the dashboard folder 2.  Click OK

Modifying Dashboards

Modifying widget display

1. Select a widget and click on the Settings button
2. Customize the fields as appropriate
   1. Title – the chart name that displays at the top
   2. Display – select chart type from the possible options
   3. Width – the size of the chart in horizontal dimension – note that this is relative
   4. Height – the size of the chart in vertical dimension – note that this is relative
   5. Refresh interval – how often the chart’s content will refresh
   6. Result Limit – number of rows in the result
3. Click OK.

Adding reports to a widget dashboard

1. Click on the icon on the left under the dashboard name 2.  Select the report and it will highlight.
2. Drag the report to the dashboard and the results will show 4. To customize the chart settings, see here.

If you want to add a new report or modify a system report, then follow these steps

1. Create the report in Analytics
2. Then report will show up in the list of reports in Step 2 above.

Modifying widget dashboard layout

There are two possibilities – Tile layout (default) or column layout.

1. To select Tile layout, select Tile option from the menu next to on top. Tile layout allows you to place widgets of several sizes on the dashboard.
2. To select a column layout, choose the number of columns from the menu next to .

Adding, removing and re-ordering columns on a summary dashboard

1. Select the button the top.
2. To remove one or more columns from display, select them in the Selected Columns and then move them to the left by clicking the

button.

3. To add one or more columns to the display:
4. Select an Event Type in the left most column. The corresponding metrics from that event type will show. b. Select one or more columns in the middle column
5. Move them to the right by clicking the button 4.  To change the position of the columns 5.  Click OK to save the changes.

Sharing Dashboards

The following sharing rules are enforced

User created dashboard folders and its contents are only visible to the user who created it. If this folder need to be visible to other users, then we recommend using a shared account or

using export/import mechanism to create the folder for that user

System dashboard folders are owned by FortiSIEM. Any changes to those dashboards may be lost during upgrade, if FortiSIEM also decides to change those dashboards.

Importing and Export Widget Dashboards

Importing widget dashboards

Widget Dashboards can be imported from another FortiSIEM installation or from another dashboard folder of the same installation. If the two FortiSIEM versions do not have the same version, then the charts may look different because the data definition may be different.

1. Make sure you are viewing the dashboard
2. Click Import
3. Select the file from local desktop. It must an XML file suitable for import. Typically this is exported from another FortiSIEM system.
4. Click Import.
5. The dashboard will display

Exporting widget dashboards

1. Make sure you are viewing the dashboard

Click Export

Analytics

FortiSIEM Analytics has three components:

Search

FortiSIEM search functionality includes real time and and historical search of information that has been collected from your IT infrastructure. With real time search, you can see events as they happen, while historical search is based on information stored in the event database. Both types of search include simple keyword searching, and structured searches that let you search based on specific event attributes and values, and then group the results by attributes.

Rules

Because FortiSIEM is continuously monitoring your IT infrastructure, you can also set rules so that when specific conditions are met, it triggers an incident, and, in some cases, sends a notification.

Reports

Reports are pre-defined search queries. FortiSIEM includes a large catalog of reports for common devices and IT analysis tasks that you can use and customize, and you can also save searches that you’ve run as reports to use again later.

Adding a Watch List to a Rule

Cloning a Rule

Running Historical Searches to Test Rule Sub Patterns

Setting Rules for Event Dropping

Setting Rules for Event Forwarding

Setting Global and Per-Device Threshold Properties

Using Geolocation Attributes in Rules

Using Watch Lists as Conditions in Rules and Reports Viewing Rules

Reports

Baseline Reports

System-Defined Baseline Reports

Creating a Report or Baseline Report

Identity and Location Report

Report Bundles

Creating a Report Bundle

Running a Report Bundle

Running System and User-Defined Reports and Baseline Reports

Scheduling Reports

Viewing Available Reports

Audit

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

Visual Analytics

AccelOps Visual Analytics Architecture

Installation and Configuration of AccelOps Visual Analytics

Requirements for Visual Analytics Report Server

Setting Up Visual Analytics

Hypervisor Installations for Report Server

Installing and Registering AccelOps Report Server in Amazon Web Services

Installing and Registering AccelOps Report Server in KVM

Installing and Registering AccelOps Report Server in Microsoft Hyper-V

Installing and Registering AccelOps Report Server in VMware ESX Syncing with the Report Server

Working with the Report Server

Report Server Architecture: phoenixdb and reportdb

Working with CMDB Data in AccelOps Report Server

Viewing phoenixdb Organization

Querying Incident Data in AccelOps Report Server

Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Working with Event Data in AccelOps Report Server

Viewing reportdb Organization

Syncing an AccelOps Report with Report Server

Deleting a Report from AccelOps Report Server

Modifying an Existing Report in AccelOps Report Server

Installing and Configuring Tableau Server

Creating and Managing Workbooks

Viewing Workbooks

Creating and Publishing Workbooks

Creating a Single Sheet Workbook

Creating a Multiple Sheet Workbook

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server Adding Users to Workbooks

Real Time Performance Probe

Search

Historical and Real Time search is the core functionality of FortiSIEM analytics, enabling you to analyze, report on, and further improve your IT infrastructure.

Historical Search

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search

Converting an Historical Search to a Rule

Real Time Search

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

Structured Search Operators

Selecting Attributes for Structured Searches, Display Fields, and Rules

Using Expressions in Structured Searches and Rules

Keywords and Operators for Simple Searches

Using Geolocation Attributes in Searches and Search Results Creating Filter Criteria and Display Column Sets

Historical Search

With the Historical Search feature, you can go back in time and retrieve events from the event database. By using either a simple keyword-based search or a more detailed structured search, you can get quick and valuable insights into events that have occurred over any selected time period.

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search Converting an Historical Search to a Rule

Overview of the Historical Search User Interface

You can run two types of historical searches on FortiSIEM data: simple searches, in which you use a keyword search, and structured searches, in which you can specify search conditions and how the results should be grouped.

Simple Historical Search

Simple Historical Search User Interface Controls Structured Historical Search

Simple Historical Search

When you use simple historical search, you enter a keyword to search for in the logs collected by FortiSIEM, specify any filter criteria, and then run the search, which will produce a chart and a list of results matching your search criteria. You can then use additional user interface controls to change the chart display, filter or find more information about events in the result list, and export or share results.

This screenshot shows the results of simple search using the keyword TCP.

Simple Historical Search User Interface Controls

Structured Historical Search

With historical structured search, you can enter conditions for your search based on event attributes, and set which attributes will be used to group the search results in a way that is similar to the use of the of the Group By command in SQL

This screenshot shows a structured historical search for All Non-Reporting Modules selected from the system Reports > Event Status. The screenshot below it shows a close-up of the the Conditions and Group By options dialog. See Creating a Structured Historical Search and Struc tured Search Operators for more information about these options.

Example of How a Structured Historical Search is Processed

When you run a structured historical search, all events within the specified time window are examined and added to the result set following these steps:

1. The system fetches the next event within the search time window and applies the filtering criteria. If the event does not pass the filtering criteria, the system fetches the next event.
2. If the event passes the filtering criteria, the system then compares the attributes of this event against the other entries in the result set. If the current event contains an attribute that is included in the Group By attribute set, then the results for that attribute are updated. Otherwise, a new entry is created in the result set.
3. After all the events in the search time window are processed, the system sorts the results to produce the final result set.

As an example, consider these events in the event database, and running a search for Top Firewall Recorded Conversations Ranked By Total Connections (Descending) and Total Bytes (descending) over them.

Result

You could then run another search over these results:

Result

Sample Historical Searches

Sample Filter Criteria

Sample Structured Searches

Sample Filter Criteria

Sample Structured Searches

The following examples illustrate how to write a search using the AccelOps GUI.

Creating a Simple Historical Search

Prequisites

Procedure

Prequisites

If you need to familiarize yourself with how historical search works or the historical search interface, you should read these topics:

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Structured Search Operators

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs.

See Keywords and Operators for Simple Searches for information on keyword searching.

5. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules and Creating Filter Criteria and Display Column Sets for options for selecting display field attributes and sets.

6. For Time, set the interval over which you want the search to run.
7. For multi-tenant deployments, select the Organization you want to run the search against.
8. Click Run.

The results of your search will be displayed in the chart and search results list.

Creating a Structured Historical Search

Prequisites

Procedure

Prequisites

If you need to familiarize yourself with how historical search works or the historical search interface, you should read these topics:

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Structured Search Operators

Procedure

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Structured.

The Conditions and Group By search window will open.

4. Click the downward arrow in the search window to open the Conditions and Group By

Alternatively you can click … to use a saved Filter Criteria Set.

5. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

6. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

7. Under Group By, set the event attributes that you want to use to group the results, as described in Example of How a Structured Historical Search is Processed.
8. Click OK.

You can also click Save as Filter Criteria Set, and these conditions and group by attributes will be available for future historical searches by clicking … next to the search window.

9. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

10. For multi-tenant deployments, select the Organization you want to run the search against.
11. For Time, set the interval over which you want the search to run.
12. Click Run.

The results of your search will appear in the chart and results list.

Using System-Defined Reports for Historical Search

FortiSIEM includes a number of pre-defined reports that you can use as the basis for historical searches.

Viewing Available Reports

Using System-Defined Reports in Historical Searches

Viewing Available Reports

1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. Select a report group in the navigation pane, and then a report.

Each report includes four information tabs:

Using System-Defined Reports in Historical Searches

1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. Click Load Report.
4. Select the report you want to use, and then click OK.
5. Follow the same steps that you would for Creating a Structured Historical Search.

Overview of Historical Search Results and Charts

When your search runs, you will see both a Results List in the bottom pane of the screen, and a chart in the middle pane. The types of charts that are displayed depend both on the data being analyzed, and whether or not you have specified any Group By conditions in your search. You can also add dimensions to your search results and change the chart display type for further analysis.

Non-Aggregated Search Results

Trend

Results List

Aggregated Search Results

Results List

Trend

Pie Chart

Bar Chart

Scatter Plot

Bubble Plot

Tree Map

Heat Map

Non-Aggregated Search Results

Non-aggregated searches are searches that don’t use any Group By conditions to process the results. These types of searches produce two views of the results:

Aggregated Search Results

Aggregated searches are those that use a Group By condition to process the results.

Refining the Results from Historical Search

Overview of Historical Search Results and Charts describes the charts that you can use to visualize historical search results, but there are also a variety of methods you can use to drill down into search results and refine your queries.

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches Using Tabs to View Multiple Search Results

Charting a Specific Row from Historical Search Results

When your chart loads, the top five items are displayed as color-coded stack charts, as show in the example of this screenshot. However, you may want to remove results from the chart to get a clearer view of what is happening with a specific result. Here, for example, there are spikes for 192.168.19.65 that are clearly visible at various intervals, but the chart results for the other IPs obscure much of what is happening with this source IP.

The solution is to remove the other Source IPs from the chart. In the Chart column of the Results List, click on the items you want to remove from or add to the chart. In this example, all four of the other IPs have been removed from the chart to obtain a clearer visualization of the activity for 192.168.19.65.

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

When you run a query, the resulting chart typically displays the first aggregated attribute in the Results List. However, if there are other aggregated attribute values in the search results, you can add those to the chart as a second dimension.

This screenshot shows the results for the report Top Router Network Intf By Util, Error, Discards, which includes the values for a single aggregated attribute, AVG(In Intf Util), for incoming interface utilization.

In this case, it could also be informative to understand more about the outbound interface utilization. In the second Chart For menu, AVG(Out Intf Util) is selected, and this is added as a second dimension to the chart beneath the 0 line, as shown in this screenshot.

Drilling Down on Search Results by Time Interval

When you run a search, the chart displays results for the time interval you set in your original query. However, you can also drill down to 5 minute, 10 second, and 1 second time intervals for a closer inspection of the results.

1. Hover your mouse cursor over the result and time interval you want to drill down on until the information pop-up appears, as shown in the first example screenshot.
2. Click to drill down and view the results for a 5 minute interval.
3. Follow the same process to drill down to the 10 second and one second intervals.

This series of screenshots illustrates starting from the original search results, and then drilling down to the 5 minute interval.

Using Search Results to Refine Historical Searches

In this screenshot of search results you can see a small but sudden spike in the SUM(Total Bytes) for Destination TCP/UDP Port 20756, which is represented by the color purple in the chart. In order to understand what is happening in this time interval, you can select this port and the time period of interest, and use these as filter criteria for a deeper investigation.

1. In the Results List, select the row containing the item of interest.
2. Click the Filter menu, and you will see the attributes of the selected item as filter options.
3. Select the attribute you want to use for your filter.

In this case, you would select Destination TCP/UDP Port = 20756.

Adding a Specific Attribute Value to a Filter

You can also click in the cell of the Results List that contains the attribute value you want to use in your filter, and then select Add to Filter from the pop-up menu that appears when you hover your mouse cursor over the attribute value.

4. In the Show menu select Raw Messages.

This will include the raw event logs in the Incident Details.

5. In the Display Fields menu, add or remove any display fields you want for the refined search results.

In this case two fields are added, Destination TCP/UDP Port and Total Bytes.

6. In the chart, click on the time period that is of interest to add it to the search criteria.
7. Click Run.

This screenshot shows the results for the selected port and time period, indicating that two events originating from Seattle WA were responsible for the spike.

8. Click in the Raw Event Log column for an event to view the event details.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on how to view the attributes for reported events and add them to the display fields for your results.

Using Tabs to View Multiple Search Results

There may be occasions when you want to be able to run and compare the results of multiple searches.

1. Run your first search.
2. In the upper-left corner of the search screen, click +. A new tab will open up in the Analytics Window.
3. Run your second search in the new tab.

New Tabs for Drill-Down and Refined Searches

If you refine an existing search, zoom in on a time period, or use the time interval drill-down to examine search results, new tabs are automatically generated for each level of drill down, and for each refined search.  When you select an attribute to use in a refined search, you can also select Add to Filter in New Tab from the Options menu.

Converting an Historical Search to a Real Time Search

In the course of running an historical search, you may produce results that you want to examine in real time. For example, suppose that an historical search shows that yesterday there was an excessive amount of outgoing traffic from your home country or countries that you do business with. You may want to know if this same traffic pattern is happening right now, in real time. You can answer this question from within the same historical search that raised your suspicions.

1. In the historical search window, click Real Time Search.

The historical search criteria are loaded into a Real Time Search window and begin to execute.

2. You can now refine your Real Time Search results to reflect your current interest, for example by adding a Destination County attribute to the display results and running the search again.

Converting an Historical Search to a Rule

Example

Procedure

Example

While using historical search, you may observe a pattern that you want to use as a rule so if the pattern recurs, it will trigger an alert. For example, in an historical search you may notice excessive traffic going outside your country or the countries you do business with. You can generate a rule to watch for this traffic pattern from within the historical search.

These screenshots show the conditions and results for the example of an historical search for excessive outgoing traffic.

Following this example, you may now want to create a rule that will send you an alert when a particular source sends more than 1000 connections, or more that 5MB of traffic, in five minutes.

Procedure

1. In the historical search that you want to use as the basis for your rule, click Create Rule.

The Rule Editor will load, with most information for the rule auto-populated from the search. You can also read the topics under Rules for more information about creating rules.

2. Enter a Rule Name and Description.
3. Set the Severity to associate with incidents generated by this rule.
4. Set the Incident Category to associate with incidents generated by this rule.
5. Set the number of seconds for the Time Window that this rule should apply to.

In the example of excessive outgoing traffic over a five minute period, this would be set to 300.

6. Under the Conditions, click the Edit icon for Filter_1.

You will see that all your filter conditions for the search have been populated into this sub pattern.

7. You can now edit the Filter and Aggregate conditions for your original search, or change the Group By conditions.
8. Click Save when you’re done editing the rule.

This screenshot show editing the rule sub pattern Filter_1 from the original rule conditions, with the Aggregate Conditions for COUNT(Matched Events) and SUM(Total Bytes) to 1000 and 5242880 to match the new alert conditions from the example historical search, and the AND operato r changed to OR.

Real Time Search

You can use Real Time search to view events as they are occurring in real time within your IT infrastructure. You can use both simple and structured search criteria, as you would with historical search, but instead of the results displayed in a report like you would see with an historical search, real time search results are displayed as a rolling graph and summary of events that you can drill down into.

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

Overview of the Real Time Search User Interface

The real time search interface is very similar to the interface for historical search, with the exception that real time search doesn’t have an option to set a search time period. As with historical search, you can also run simple or structured search queries. The main difference between historical and real time search is that real time search displays your results as they are occurring in your IT infrastructure, with a scrolling chart and summary of the results.

Simple Real Time Search

Simple Real Time Search Interface Controls Structured Real Time Search

Simple Real Time Search

When you use simple real time search, you enter a keyword to search for in the logs collected by AccelOps, set any columns you want to display in the Raw Event Log Results Summary, and, for multi-tenant deployments, select any organizations you want to filter the results for. You can then select results in the real time chart to use for historical searches, or you can select results in the Raw Event Log Results Summary to learn more information about them or use them as filters in refining your search.

This screenshot shows the results for searching the raw event logs for occurrences of TCP.

Simple Real Time Search Interface Controls

Structured Real Time Search

For structured real time search, you only enter the filter conditions that you want to use, instead of having to also specify aggregation and group by conditions as you would in a structured historical search.

This screenshot shows the Conditions dialog for structured real time search. You can select attributes and create expressions to use in structured real time search the same way you would in structured historical search.

This screenshot shows the Conditions dialog after having selected Structured in the search controls, with two search conditions set.

Creating a Simple Real Time Search

1. Log into your Supervisor node.
2. Go to Analytics > Real Time Search.
3. In Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs collected by AccelOps.

See Keywords and Operators for Simple Searches for more information about keyword searching.

5. Select the Display Fields for the results summary.

See Selecting Attributes for Structured Searches and Display Fields for more information about selecting attributes that can be displayed for reported events.

6. For multi-tenant deployments, select any Organizations that you want to filter the results for.
7. Click Search.

Related Links

Keywords and Operators for Simple Searches

Selecting Attributes for Structured Searches, Display Fields, and Rules

Creating a Structured Real Time Search

1. Log in to your Supervisor node.
2. Go to Analytics > Real Time Search.
3. For Filter Criteria, select Structured.

The Conditions search window will open.

4. Click the downward arrow in the search window to open the Conditions Alternatively you can click … to use a saved Filter Criteria Set.
5. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

6. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

7. Click OK.

You can also click Save as Filter Criteria Set, and these conditions will be available for future searches by clicking … next to the search window.

8. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

9. For multi-tenant deployments, select the Organization you want to run the search against.
10. Click Search.

The results of your search will appear in the real time chart and results list.

Viewing and Refining Real Time Search Results

When your real time search runs, you will see the results represented as a scrolling chart across the top of the search results window, and as a scrolling list in the bottom of the window that include the raw event log information for events matching your search criteria. You can select items in the scrolling chart to use in historical search, view more information about individual items in the results list, and add attributes from your search results to your search filters or display fields.

Selecting Results for Historical Search

Viewing Information about Real Time Search Results

Adding Search Results to Search Filters. Watch Lists, or Display Fields

Selecting Results for Historical Search

1. When you see a time interval of events that you want to use for historical search appear in the scrolling chart, click Pause or Stop.
2. Hover your mouse cursor over the bar that represents the time interval until you see the time interval information appears, and then double-click on the bar.
3. The time interval and Event Type will be added to the criteria for an historical search.

Complete the other criteria you want to use for the search as described in Historical Search.

Viewing Information about Real Time Search Results

1. When you see an event appear in the search results list that you want more information about, click Pause or Stop.
2. Select the event row and click Quick Info to view the Reporting IP, Event Type, Source IP, and Destination IP for that event.
3. To view information about specific attributes of an event, click in the attribute display field and click Quick Info.

For attributes associated with devices, this will open the Quick Info view of the device as described Summary Dashboard User Interface Overview. For events types, it will show info such as the severity and device associated with the even type.

4. To view information about a device’s location in the network topology, select it in the display field and then select Topology.

Adding Search Results to Search Filters. Watch Lists, or Display Fields

With a search result selected in the results list, click Filter to select event attributes to add to the search filter.

In the expanded Raw Events Log, click on items in the text string to include or exclude them as search filter criteria.

To add a specific result to the search criteria, in the results list, click on an item in a display field to open the options menu, and then select Add to Filter.

To add an IP address to a watch list, click on it to open the options menu, and then select Add to Watch List.

See Watch Lists for more information.

See the section on Selecting Attributes from the Raw Event Log Column in the Results Lists in the topic Selecting Attributes for Structured Searches and Display Fields for information on how you can view and select the attributes associated with events to use as search filters or display fields from the real time search results list.

Structured Search Operators

Selecting Attributes for Structured Searches, Display Fields, and Rules

For both Real Time and Historical structured searches you have the option to to select event attributes to use in both your search and Group By fi lters, and as display fields in your result lists. Since AccelOps recognizes over 130,000 event attributes, the documentation and user interface provides several ways to find the attributes you want to use. These instructions show how to access the Common Attributes menu and the CMDB attribute browser through the Attributes in search conditions, but you can access the same functionality in the Display Fields menu for searches, and when you create a new rule. They also contain information on how you can access the attributes associated with reported events through the Raw Event Logs column of results lists.

The Event Dictionary and Master Attribute List

Selecting Attributes in the Common Attributes Menu

Selecting Event Attributes from the CMDB

Selecting Attributes from the Raw Events Log Column of the Results Lists

The Event Dictionary and Master Attribute List

This documentation includes an Event Dictionary that describes events and their attributes, and an attribute master list, which lists the primary event attributes and their data type, along with a brief description of what values AccelOps expects to see when that attribute information is returned.

Selecting Attributes in the Common Attributes Menu

This screenshot shows the Common Attributes menu open in the Conditions Builder for an Historical search. Open the menu by clicking the downward arrow next to an Attribute text field. You can scroll through the list of event attributes to select the one you want, or begin typing an attribute name and the menu will sort based on your entry.

Selecting Event Attributes from the CMDB

You also have the option to browse all the attributes listed in the CMDB to find the one that you want. These two screenshots show the CMDB attribute browser, which you can access by clicking … next to the Attribute text field.

The first screenshot illustrates browsing the CMDB attributes based on Device Type and Feature Type: Availability, Change, Performance, Se curity, and All. In this example, Security has been selected for Feature Type, and Cisco IOS has been selected for Device Type. This loads all the security attributes associated with the Cisco IOS into the Attribute List.

The second screenshot illustrates browsing the CMDB Event Types to find an event attribute. In this example, Cisco ASA is selected for Device Type. Clicking in the Event Type window opens an Event Browser for the CMDB. Select any group in the browser, and you will see the event types within that group that are applicable to the Device Type you selected.

Selecting Attributes from the Raw Events Log Column of the Results Lists

All real time search results lists include a Raw Event Log column, and you can add a a Raw Event Log column to the list of results for historical searches. In addition to providing detailed information from the raw event logs, you can also use this column to view all the attributes associated with a reported event and add them to the display fields in your results list or to your filters for structured searches.

1. Cilck in the Raw Event Log column of your results list to collapse the view.

The raw event log text will collapse into an information icon with a blue +.

2. Click on the blue + icon to open the Event Details.

You will see the raw event log text and list of all the attributes associated with that event type.

3. Select Filter or Display to add an attribute to the search filters or display fields for that search.
4. Click X to close the Event Details window when you’re done making your selections.

Using Expressions in Structured Searches and Rules

An expression can contain a single event attribute, multiple attributes, or functions that contain an event attribute as their argument. You can also use parentheses and arithmetic operators to form complex expressions.

You can enter an expression manually, paste it in, or build it dynamically using the Expression Builder. If you use the Expression Builder, you will have to enter parentheses or arithmetic operators in the expression.

The Expression Builder

Creating Expressions

Adding a Function

Filter Condition Functions

Aggregation Condition Functions

The Expression Builder

You can access the Expression Builder by clicking the e icon next to the Attribute or Value field when creating a structured search or rule.

This screenshot shows the Expression Builder open for creating a rule.

Creating Expressions

Adding a Function

To add a function to the expression, select it from the Add Function menu, and then click the + icon. The available functions depend on whether you are are creating an expression to use as part of a filter condition for a search or rule, or as part of the aggregation conditions for a rule.

Selecting Function-Specific Attributes

When you select any type of function, the function and a set of parentheses will be added to the expression. If you place your cursor within the parentheses and then open the Event Attribute menu, you will see event attributes that are relevant for that function. For example, if you select COUNT as the function, (MATCHED ITEMS) will automatically appear between the parentheses, and will be selected in the Event Attribute menu. If you select a function like AVG for an aggregation condition, you will see options such as CPU UTIL and Apache Uptime. If you select a function like HourOfDay for a filter condition, you will see options like Access Time and Vul nerable Since. You can search through the options in either situation by beginning to type a keyword in the Event Attribute menu. Sele cting Attributes for Structured Searches, Display Fields, and Rules has more information about ways to search for and select event attributes.

Filter Condition Functions

If you select HourOfDay or DayOfWeek for the function, the Event Attributes menu will contain date and time-related event attributes, while if you select DeviceToCMDBAttr, it will contain device-related attributes.

This screenshot shows the beginning of creating an expression to use as the Attribute in a condition for an historical search. HourOfDay is selected as the Function, and Access Time is selected as the Event Attribute.

Aggregation Condition Functions

You use these functions to perform operations on numerical event attributes such as Sent Bytes, Received Bytes, CPU Utilization, or Memory Utilization.

This screenshot shows the beginning of creating an expression to use as an aggregation condition in rule. Max is selected as the Function, and CPU Util is selected as the Event Attribute.

Keywords and Operators for Simple Searches

Both historical and real time searches have a simple search option that searches for keywords in the raw ASCII tex of event logs. You can use operators in your keyword searches to combine terms or create simple search filters.

Keyword Operators

Examples of Using Keyword Search Operators

Quotes and Backslash Characters in Search Terms

Keyword Operators

You can use the operators AND, OR, AND NOT between keywords. If you enter more than one keyword, then AND is assumed as the operator between them. You can also use parentheses () to change the precedence of the operators.

Examples of Using Keyword Search Operators

Quotes and Backslash Characters in Search Terms

If the search string contains quotation marks or back-slash characters, you must escape them by prefixing them with a backslash character. For example, if you wanted to search for [location]=”United States” then you would need to enter [location]=\”United States\” as your search string.

Using Geolocation Attributes in Searches and Search Results

When you view the results of a search, you will see that IP address fields in the results, such as Source IP or Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic describes the geolocation information that is associated with event attributes, and provides examples of how to use this information in searches and search results.

Event and Geolocation Attributes

Using Geolocation Attributes in Searches

Viewing Geographic Locations from Search Results

Event and Geolocation Attributes

The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that you can use in search queries and as display fields in search results. In Incident Reports you may also see country flags included with IP addresses for Incident Source and Incid ent Target, which have the same geolocation attributes as Source IP and Destination IP.

Using Geolocation Attributes in Searches

You can use geolocation attributes in both real time and historical structured searches. For example, setting a search attribute to Source Country != United States will remove all Source IPs with a geolocation of United States from the search results.

This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the search criteria. The Source IP display field contains only IP addresses associated with countries other than the United States, as indicated by the national flags next to each IP address in the Source IP column.

If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the results will include name information for that attribute, rather than a national flag.

This screenshot shows the results of the same query used previously, but with Group By = Source Country.

Viewing Geographic Locations from Search Results

If your search results contain geographic information, click the Locations button to view that information on a map.

This screenshot shows the results for the first example query presented in a map. Clicking on a number in the map will provide you with an overview of incidents for that location.

Creating Filter Criteria and Display Column Sets

When you create searches, you have the option to select saved filter criteria and column sets to use. This topic describes how to create those sets.

1. Log in to your Supervisor node.
2. In the Analytics tab, select either Display Column Sets or Filter Criteria Sets, depending the type of set you want to create.
3. Click New.
4. Add the filter criteria or display columns that you want to the set.

See Using Expressions in Structured Searches and Selecting Attributes for Structured Searches and Display Fields for more information about building searches and display columns.

5. Click Save.

You set will be saved to the list of sets, and you will be able to use it in searches by clicking the … button next to the Filter Criteria text field in structured searches or the Display Columns menu for both structured and simple searches.

Related Links

Using Expressions in Structured Searches and Rules

Selecting Attributes for Structured Searches, Display Fields, and Rules

Rules

FortiSIEM continuously monitors your IT infrastructure and provides you with information you can use to analyze performance, availability, and security. There may also be situations in which you want to receive alerts when exceptional, suspicious, or potential failure conditions arise. You can accomplish this by using rules that define the conditions to watch out for, and which trigger an incident when those conditions arise. This incident will appear on the Incident Summary dashboard, and you can also configure a notification policy that will send email and SNMP alerts that the incident has occurred. FortiSIEM includes over 500 system-defined rules, which you can see in Analytics > Rules, but you can also create your own rules as described in the topics in this section.

Creating Rules

FortiSIEM constantly monitors your IT infrastructure for events and collects information about them, but you can also set rules that will trigger incidents from events and send notifications when they occur. These topics describe the concepts and processes for creating rules.

Creating a Rule

Defining Rule Conditions

Example of a Rule with a Single Condition Sub-Pattern

Example of a Rule with Multiple Sub-Patterns

Defining the Incident Generated by a Rule

Defining Rule Exceptions

Defining Clear Conditions Testing a Rule

Creating a Rule

Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the triggering conditions and any exceptions or clear conditions.

2. Go to Analytics > Rules.
3. Select the group where you want to add the new rule.
4. Click New.
5. Enter a Rule Name and Description.
6. For Status, keep the rule Inactive.

You can activate the rule after you’re finished creating and testing it.

7. Select an Incident Category for the incident triggered by the rule.

You can click Add and enter a custom incident category.

8. Select a Severity to associate with the incident triggered by the rule.
9. Select Update the Perf Status column on summary dashboard if you want the incident to display in the Performance Status column of the Exec Summary
10. For Attributes, enter the functional area, such as Security, that you want to associate the rule with.
11. Enter a Notification Frequency for how often you want notifications to be sent when an incident is triggered by this rule.
12. Under Conditions, click Add Subpattern to create the rule conditions.

See Defining Rule Conditions for detailed information on selecting event and aggregation attributes to use with rules. You can also see examples of rules with a single subpattern and multiple sub patterns.

13. Enter the time interval during which the rule conditions will apply.

The minimal interval is 120 seconds.

14. Next to Actions, click Edit to define the incident that will be generated by this rule.

See Defining the Incident Generated by a Rule for more information.

15. Next to Watch Lists, click Edit to add a watch list to the rule.

See Adding a Watch List to a Rule for more information.

16. If you want to define any Exceptions for the rule, click Edit. See Defining Rule Exceptions for more information.
17. If you want to define any Clear Conditions for the rule, click Edit.

See Defining Clear Conditions for more information.

18. Click Save.

Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it.

Defining Rule Conditions

Rule conditions define the event attributes and thresholds that will trigger an incident. Rule conditions are built from sub-patterns of event attribute filters and aggregation functions. You can specify more than one subpattern and the relationships and constraints between them.

Setting the Relationship between Subpatterns

Setting Inter-subpattern Constraints

Examples of inter-subpattern relationships and constraints

Specifying a Subpattern

A subpattern defines the characteristics of events that will cause a rule to trigger an incident. A subpattern involves defining event attributes that will be monitored, and then defining the threshold values for aggregations of event attributes that will trigger an incident.

Example of a rule with a single subpatten

This screenshot shows an example of a subpattern with a single event filter and a single event aggregation condition. Expressed as a sentence, this rule would be “When there are more than three events on a single Host IP where average CPU utlization is equal to 95%, trigger an incident.”

Event Filters

Event filter criteria determine which event attributes and values will be monitored by the rule, and are set in a way that is similar to the way you set event attributes for structured historical searches and real time searches. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on finding attributes to use in your event filters.

Event Aggregation

While you could have a rule that triggers an incident on a single instance of a particular event, it is more likely that you will want your rule to trigger an incident when some number of events have been found that meet your event filter criteria.

Group By Attributes

This determines which event attributes will be used to group the events before the group constraints are applied, in a way that is similar to the way the Group By attribute is used to aggregate the results of structured searches. Aggregate Conditions

The group aggregation conditions set the threshold at which some aggregation of events will trigger a rule to create an incident. You create an aggregation condition by using the Expression Builder to set a function, and then enter the Operator and Value for the aggregation condition. Examples of Group By and Aggregate Conditions Settings

Setting the Relationship between Subpatterns

Example of a rule with multiple subpatterns

If you have more than one sub-pattern, you must specify the relationship between them with these operators.

Setting Inter-subpattern Constraints

You may want to relate attributes of a sub-pattern to the corresponding attributes of another sub-pattern, in a way that is similar to a JOIN operation in an SQL, by using the relationship operators  <, >, <=, >=, =, !=. Examples of inter-subpattern relationships and constraints

Example of a Rule with a Single Condition Sub-Pattern

This topic shows an example of how to create a rule with a single sub-pattern based on the condition that Average CPU on a server is more than 95% over 3 sample measurements.

1. For Rule Name, enter Hi Avg CPU.
2. For Description enter Average CPU on a server is more than 95% over 3 sample measurements.
3. For Severity, select 9 – High.
4. For Attributes, select All.
5. Set the Notification Frequency for 1 Hour.
6. Next to Conditions, click Add Subpattern.
7. For Subpattern Name, enter Pattern 1.
8. Under Filters, set these options:

9. Under Aggregate Conditions, click the Expression Builder icon next to the Attribute field, select COUNT(Matched Events) from the Add Function menu, and then click OK.
10. Under Aggregate Conditions, select = for Operator and enter 3 for Value.
11. Under Group By, select Host IP.
12. Click Save.
13. Enter 5 for the time interval during which the conditions will apply.
14. You would now complete the rule by Defining the Incident Generated by a Rule, and any exceptions or clear conditions. You could also a ssociate it with a notification policy.

This screenshot shows the subpattern settings for this example.

The following steps describe how to create a rule that matches the above example 1:

1. Enter a name for the rule in the ‘Rule Name’ text box.
2. Enter a description for the rule in the ‘Description’ text box.
3. Use the drop down menu to choose a ‘Severity’ for the rule.
4. Click on the ‘+ Add Condition’ button.
   1. Chose the ‘Function’ for the rule. In this case ‘AVG’ is chosen.
   2. Choose the ‘Attribute’ for the rule. In this case ‘CPU Util’ is chosen.
   3. Chose the ‘Operator’ for the rule. In this case ‘>=’ is chosen.
   4. Enter the ‘Value’ for the rule. In this case ’95’ is entered.
5. Select the devices to apply the rule to.
6. Enter the number of events that must occur for the rule to fire. In this case ‘3’ is used.
7. Enter the time frame for the rule. In this case ‘600’ seconds is used.

Example of a Rule with Multiple Sub-Patterns

This topic provides an example of a rule with two sub-patterns, and also how to use the Event Type attribute as a filter.

Rule Conditions

Creating Sub-Pattern P1

Creating Sub-Pattern P2

Defining the Relationship Between Patterns

Defining the Incident to be Generated by the Rule

Rule Conditions

The purpose of this rule is to trigger an incident when five login failures from the same source to a server are not followed by a successful login from the same source to the same server within one hour. This requires two sub-patterns, the first one to detect “five login failures from the same source to a server,” and a second one to detect “a successful logon from the same source to the same server.” The two sub-patterns need to be interrelated to make the complete rule.

Sub-pattern 1 (P1)

Sub-pattern 2 (P2)

P1/P2 Interrelationships and Constraints

Creating Sub-Pattern P1

The following steps describe how to create a rule that matches the above example 2:

1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Click New.
4. For Rule Name, enter Suspicious Login Failure.
5. For Description, enter the rule conditions stated in the introduction to this topic.
6. For Severity, select 10 – High.
7. For Attributes, select All.
8. Next to Conditions, click Add Subpattern.

You will now create the first subpattern for “five login failures from the same source to a server.”.

9. For Subpattern Name, enter LogonFailures.

To create this sub pattern you will want to specify that all types of logon failures should be monitored. For this reason, you will want to specify an entire folder of event types as the rule condition, rather than a single attribute of a event.

10. For Attribute, select Event Type.
11. For Operator, select IN.
12. For Value, click … to open the CMDB Browser.
13. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
14. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
15. For Operator, enter >=.
16. For Value, enter 5.
17. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
18. Enter Destination IP.
19. Click Save.

This screenshot shows the complete entry for sub-pattern P1.

Creating Sub-Pattern P2

1. In your rule, next to Conditions, click Add Subpattern.
2. For Subpattern Name, enter LogonSuccess.
3. For Attribute, select Event Type.
4. For Operator, select IN.
5. For Value, click … to open the CMDB Browser.

This button only becomes active if you select Event Type as an attribute.

6. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
7. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
8. For Operator, enter >.
9. For Value, enter 0.
10. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
11. Enter Destination IP.
12. Click Save.

This screenshot shows the complete entry for sub-pattern P2.

Defining the Relationship Between Patterns

You will now see both of your sub-patterns listed under the Conditions for your rule definition.

1. Makes sure that LogonFailures is selected as the first pattern under If this Pattern occurs, and under Next Op, select NOT_FOLLOW ED_BY.
2. Select LoginSuccess as the second subpattern.
3. Click AddSubpattern Relationship.
4. For the first relationship definition, select LogonFailures for Subpattern, Source IP for Attribute, and = for Operator.
5. For the second subpattern, select LogonSuccess for Subpattern, Source IP for Attribute, and AND for Next Op.
6. Under Row, click +.
7. For the second relationship definition, for the first subpattern, select LogonFailure for Subpattern, Destination IP for Attribute, and = fo r Operator.
8. For the second subpattern, select LogonSuccess for Subpattern, and Destination IP for

This screenshot shows the full pattern and relationship definition for the two subpatterns.

Defining the Incident to be Generated by the Rule

1. In your rule definition, click Edit next to Generate Incident.
2. For Incident Name, enter Suspicious_Login_Failure.
3. Under Incident Attributes, select Source IP for Event Attribute, LoginFailures for Subpattern, and Source IP for Filter Attribute.
4. Under Row, click +.
5. For the second incident attribute, select Destination IP for Event Attribute, LoginFailures for Subpattern, and Destination IP for Filter Attribute.
6. Under Triggered Event Attributes, make sure that Event Receive Time, Event Type, Reporting IP, and Raw Event Log are listed in the Selected Attributes.
7. Click OK.

This screenshot shows the complete Incident Definition.