Quantcast
Channel: Fortinet GURU
Viewing all articles
Browse latest Browse all 2380

FortiSIEM Defining the Incident Generated by a Rule

$
0
0

Defining the Incident Generated by a Rule

Defining an incident involves setting attributes for the incident based on the subpatterns you created as conditions for the rule, and then setting attributes for the incident that will be used in analytics and reports.

  1. In the rule you want to define an incident for, click Edit next to Actions: Generate Incident.
  2. Enter an Incident Name, Display Name, and Description.
  3. Under Incident Attributes, you will define attributes for the incident based on the Group By and Aggregate Conditions attributes you set for your sub patterns. Typically you will set the Incident attributes to be the same as the Group by attributes in the subpattern. a. Select the Event Attribute you want to add to Incident.
    1. Select a Subpattern.
    2. This will populate values from the Group By attributes in the subpattern to the Filter Attribute
    3. In the Filter menu, select the attribute you want to set as equivalent to the Event Attribute.
  4. Under Triggered Event Attributes, select the attributes from the triggering events that you want to include in dashboards and analytics for this event.

This is pre-populated with typical attributes you would want included in an incident report.

  1. Click OK.

Viewing all articles
Browse latest Browse all 2380

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>