FortiSIEM Defining Clear Conditions

Defining Clear Conditions

Clear conditions specify conditions in which incidents will have their status changed from Active to Cleared. You can set the time period that must elapse for the clear condition to occur, and then set the conditions based on the triggering of the original rule, or on a sub pattern based on t he Incident Attributes.

  1. In Analytics > Rules, select the rule you want to add the clear condition to, and click Edit.
  2. Next to Clear Condition, click Edit.
  3. Set the Time Period that should elapse for the clear condition to go into effect.
  4. If you want the clear condition to go into effect based on the firing of the original rule, select the Original Rule Does Not Trigger. For example, if you wanted the clear condition to change the status of Active incidents to Cleared after the original rule had not been triggered for ten minutes, you would set Cleared Within to 10 Minutes and select this option.
  5. If you want to base the clear condition on a sub-pattern of the incident attributes, select the following conditions are met.

The incident attributes from your rule will load and the clear condition attributes will be set to match.

  1. Define the pattern to use by clicking the Edit icon next to the clear sub pattern.
  2. Click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.