FortiSIEM Defining the Incident Generated by a Rule
Defining the Incident Generated by a Rule Defining an incident involves setting attributes for the incident based on the subpatterns you created as conditions for the rule, and then setting attributes...
View ArticleFortiSIEM Defining Rule Exceptions
Defining Rule Exceptions Once you activate a rule, it continuously monitors your IT infrastructure for conditions that would trigger an event. However, you may also want to define exceptions to those...
View ArticleFortiSIEM Defining Clear Conditions
Defining Clear Conditions Clear conditions specify conditions in which incidents will have their status changed from Active to Cleared. You can set the time period that must elapse for the clear...
View ArticleFortiSIEM Testing a Rule
Testing a Rule After you’ve created or a edited a rule, you should test it to see if behave as expected before you activate it. This topic describes how to test a rule using synthetic events. Procedure...
View ArticleFortiSIEM Activating and Deactivating Rules
Activating and Deactivating Rules When you create a new rule, you must activate it before it will start to monitor events. You may also want to deactivate a rule, for example to test it, instead of...
View ArticleFortiSIEM Adding a Watch List to a Rule
Adding a Watch List to a Rule Go to Analytics > Rules. Select the rule you want to add the watch list to, and then click Edit. Next to Watch Lists, click Edit. Select the watch list you want to add,...
View ArticleFortiSIEM Cloning a Rule
Cloning a Rule You can clone a rule to use it as the basis for creating another rule, or to use in testing. Log in to your Supervisor node. Go to Analytics > Rules. Search or browse to select the...
View ArticleFortiSIEM Running Historical Searches to Test Rule Sub Patterns
Running Historical Searches to Test Rule Sub Patterns If you are trying to analyze why a rule is triggering an excessive number of incidents, or why it isn’t triggering any, you can run an historical...
View ArticleFortiSIEM Setting Rules for Event Dropping
Setting Rules for Event Dropping Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You...
View ArticleFortiSIEM Setting Rules for Event Forwarding
Setting Rules for Event Forwarding In systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for...
View ArticleFortiSIEM Setting Global and Per-Device Threshold Properties
Setting Global and Per-Device Threshold Properties Overview Defining a Global Threshold Property Defining Per-Device Threshold Properties Using the DeviceToCMDBAttr Function in a Rule Overview In many...
View ArticleFortiSIEM Using Geolocation Attributes in Rules
Using Geolocation Attributes in Rules In the same way that you can use geolocation attributes in searches and search results, you can also use them in creating rules. AccelOps includes four...
View ArticleFortiSIEM Using Watch Lists as Conditions in Rules and Reports
Using Watch Lists as Conditions in Rules and Reports You may want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP...
View ArticleFortiSIEM Viewing Rules
Viewing Rules AccelOps includes a large set of rules for Availability, Performance, Change, and Security incidents in addition to the rules that you can define for your system. To view all system and...
View ArticleFortiSIEM Reports
Reports You can think of reports as saved or pre-defined versions of searches that you can load and run at any time. AccelOps includes over 2000 pre-defined reports that you can access in Analytics...
View ArticleFortiSIEM System-Defined Baseline Reports
System-Defined Baseline Reports The following system provided baseline reports are continuously running in the system. Network Traffic Analysis Performance / Availability Monitoring Logon Activity...
View ArticleFortiSIEM Creating a Report or Baseline Report
Creating a Report or Baseline Report Creating a report or baseline report is like creating a structured historical search, because you set the Conditions and Group By attributes that will be used to...
View ArticleFortiSIEM Identity and Location Report
Identity and Location Report Overview The Identity and Location Report Display Fields Report Information and Event Types Creating New Identity Events Overview The Identity and Location report is...
View ArticleFortiSIEM Report Bundles
Report Bundles Report bundles are groups of reports for common IT infrastructure analytics, such as Windows Server Health. Be defining a bundle and placing reports into it, you can run all the reports...
View ArticleFortiSIEM Running System and User-Defined Reports and Baseline Reports
Running System and User-Defined Reports and Baseline Reports AccelOps includes a number of baseline reports for common data center analytics, as well as over 300 reports relating to IT infrastructure....
View Article