FortiSIEM Reports

Reports

You can think of reports as saved or pre-defined versions of searches that you can load and run at any time. AccelOps includes over 2000 pre-defined reports that you can access in Analytics > Reports. Topics in this section describe how to access and view information about reports, how to create baseline reports, and how to use specialized reports like the Identity and Location report. You can refine the results of your reports in the same way that you would refine the results of an historical search or a real time search.

Baseline Reports

System-Defined Baseline Reports

Creating a Report or Baseline Report

Identity and Location Report

Report Bundles

Creating a Report Bundle

Running a Report Bundle

Running System and User-Defined Reports and Baseline Reports

Scheduling Reports

Viewing Available Reports

 

Baseline Reports

How AccelOps Sets Baselines

Evaluating Rules and Detecting Deviations

When you are setting up AccelOps to monitor your IT infrastructure, you may want to define what is “normal” activity within your systems, and have incidents triggered when a a deviation from that normal activity occurs. For example, you can always assume that there will be some logon failures to a server on a daily basis. Rather than creating a rule that will trigger an incident when a certain hard-coded number of failures occurs, you can set up baseline reports that will trigger an incident when the total number of logon failures over a time period is twice the average over the same time period, or when the deviation from the average is threee times the standard deviation over a specific time period.

By creating a baseline report, you can set mean and standard deviations for any metric and use them in rule, and AccelOps will evaluate the current monitored values against the mean and standard deviation for that time period.

How AccelOps Sets Baselines

Establishing a baseline means recognizing that data center resource usage is time dependent:

Usage is different during weekdays and weekends, and may also be different depending on the day of the week or month Usage is dramatically higher during business hours, typically 8am-5pm

AccelOps maintains distinct baselines for weekdays, weekends and for each hour of day – a total of 24*2 = 48 buckets. Baselines for days of the week or month are not maintained to save memory usage, as this would require 31*24 = 1764 buckets, a 15 fold-increase of memory.

A baseline report is a set of Keys that represent the baselined metrics, and a collection of Values. You can see examples of these Keys and Values in the System-Defined Baseline Reports. These are then used in this process to build the report:

  1. During the current hour, the Supervisor and any Worker nodes operate in parallel to save a baseline report in memory by analyzing the report events as a stream.
  2. When the hour finishes:
    1. The report is written to disk (on NFS for AccelOps cluster).
    2. The Supervisor module summarizes individual baseline reports from all nodes and forms the baseline for the current hour. c. The baselines are stored in a SQLite database on a local Supervisor.
    3. The Supervisor module reads the previous baseline for the current time interval from the SQLite database. Then it combines the previous values with the current values to create a new baseline.
    4. The new baseline is then stored in SQLite database.
  3. For the new hour, a new baseline is created following this process

As this process illustrates, baselining is continuous in AccelOps, and new baseline values are learned adaptively.

Evaluating Rules and Detecting Deviations

A baseline rule contains expressions that involve using the functions STAT_AVG() and STAT_STDDEV() to set dynamic thresholds.

These examples show how STAT_AVG() and STAT_STDDEV() would be used to evaluate the conditions for the example of logon failures in the introduction to this topic.

Condition Statement How the Baseline is Evaluated
Current value of X is more than 2 times the statistical average of X for the current hour Baseline evaluated using Baseline Report with ID X > 2 *

STAT_AVG(X:ID)

Deviation of X from its statistical average is more than 3 times its standard deviation for the current hour All baselines evaluated using Baseline Report with ID ABS(X –

STAT_AVG(X:ID) > 3 * STAT_STDDEV(X:ID)

When AccelOps processes these rules:

  1. Rule engine computes the current values in memory.
  2. Every 5 minutes:
    1. It looks for STAT_AVG(X:ID) and STAT_STDDEV(X:ID) in memory
    2. If it fails, it retrieves them from the SQLite database and caches them for future use during the hour. c. Evaluates the rule conditions

A sample rule condition involving statistical functions is shown below with (X = AVG(fwConnCount); ID = 112).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.