Quantcast
Channel: Fortinet GURU
Viewing all articles
Browse latest Browse all 2380

FortiSIEM Structured Search Operators

$
0
0
Structured Search Operators
Operator Meaning Allowed on

Event Attribute

Types or CMDB

Group

Example as seen in GUI
=, != Compares whether an attribute is exactly identical or not identical to a specified value All except DATE types Event Type = “PH_DEV_MON_SYS_CPU_UTIL”

Source IP != 10.1.1.1

>, >=, <, <= Compares whether an attribute is less or greater than a specified value Numeric types:

UINT16, UINT32,

UINT64, DOUBLE

CPU Util > 10
IN, NOT IN Determines whether an attribute belongs or does not belong to a set of values. For string valued attributes, the match is case insensitive. All except DATE type

Allows CMDB

Groups

System Event Category IN (3,6)

Event Type IN

(“PH_DEV_MON_SYS_CPU_UTIL”,”PH_DEV_MON_SYS_MEM_UTIL”)

Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,Event Types:Login

Failure)

Source IP IN Devices:Windows, Devices:Unix

Destination IP IN Networks:VPN Pool

BETWEEN,

NOT

BETWEEN

Determines whether an attribute is between a range of values All except STRING types Source IP BETWEEN (10.1.1.1, 10.1.1.255)

CPU Util BETWEEN (20.0, 30.0)

Event Receive Time BETWEEN (18:35 03/17/2014, 18:35 03/26/2014)

IS (NULL),

IS NOT

(NULL)

Determines whether an attribute is present or not All types Host Name IS NOT NULL
CONTAINS,

NOT

CONTAINS

Determines whether a string valued attribute contains a specified sub-string.

For Raw Event Log – the sub-string has to contain the beginning of every word For all other string type attributes: the sub-string can be in any  position

STRING Event Type CONTAINS “DEV_MON” matches “PH_DEV_MON_CPU”

Event Type NOT CONTAINS “DEV_MON” does not matche “PH_DEV_MON_CPU”

Reporting Model CONTAINS “dows” matches “Microsoft Windows”

Reporting Model CONTAINS “soft win” matches “Microsoft Windows”

Raw Event Log CONTAINS “dows” does not match “Microsoft Windows”

Raw Event Log CONTAINS “microsoft win” matches “Microsoft Windows 2003”

(For more general patterns use regular expressions)

REGEXP,

NOT

REGEXP

Determines whether a string valued attribute matches a specified pattern. Raw message needs to be UTF-8 encoded. STRING Raw Event Log REGEXP “\d+.\d+\d+.\d+”

Event Type NOT REGEXP “PH_DEV_MON_.*” – match events with event types not beginning with PH_DEV_MON


Viewing all articles
Browse latest Browse all 2380

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>