FortiSIEM Real Time Search

Real Time Search

You can use Real Time search to view events as they are occurring in real time within your IT infrastructure. You can use both simple and structured search criteria, as you would with historical search, but instead of the results displayed in a report like you would see with an historical search, real time search results are displayed as a rolling graph and summary of events that you can drill down into.

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

 

Overview of the Real Time Search User Interface

The real time search interface is very similar to the interface for historical search, with the exception that real time search doesn’t have an option to set a search time period. As with historical search, you can also run simple or structured search queries. The main difference between historical and real time search is that real time search displays your results as they are occurring in your IT infrastructure, with a scrolling chart and summary of the results.

Simple Real Time Search

Simple Real Time Search Interface Controls Structured Real Time Search

Simple Real Time Search

When you use simple real time search, you enter a keyword to search for in the logs collected by AccelOps, set any columns you want to display in the Raw Event Log Results Summary, and, for multi-tenant deployments, select any organizations you want to filter the results for. You can then select results in the real time chart to use for historical searches, or you can select results in the Raw Event Log Results Summary to learn more information about them or use them as filters in refining your search.

This screenshot shows the results for searching the raw event logs for occurrences of TCP.

Simple Real Time Search Interface Controls

Ui Control Description
Filter Criteria For simple real time search, use the search box to find keywords in raw event logs. You can also create a rule from your search results.
Set Summary

Display

Columns

Select which columns will be displayed in the Raw Event Log Results Summary
Organizations

Filter

For multi-tenant deployments, select which organizations you would like to filter the results for
Real Time

Chart

Displays results as they occur in real time. Use the Pause, Fast Forward, Stop, and Clear buttons to control the display.
Raw Event

Log Results

Summary

Displays a summary of the raw event logs for your search results in real time. Click Pause in the real time chart and then select an item in the summary results to view attributes such as Reporting and Destination IP, add an IP address to a watch list, add an attribute as a search filter, or get topological information about network devices. Selecting a result from the summary list also enables the Filter, Quick Info, and Locations buttons.

Structured Real Time Search

For structured real time search, you only enter the filter conditions that you want to use, instead of having to also specify aggregation and group by conditions as you would in a structured historical search.

This screenshot shows the Conditions dialog for structured real time search. You can select attributes and create expressions to use in structured real time search the same way you would in structured historical search.

This screenshot shows the Conditions dialog after having selected Structured in the search controls, with two search conditions set.

 

 

 

Creating a Simple Real Time Search

  1. Log into your Supervisor node.
  2. Go to Analytics > Real Time Search.
  3. In Filter Criteria, select Simple.
  4. Enter the keywords you want to search for in the raw event logs collected by AccelOps.

See Keywords and Operators for Simple Searches for more information about keyword searching.

  1. Select the Display Fields for the results summary.

See Selecting Attributes for Structured Searches and Display Fields for more information about selecting attributes that can be displayed for reported events.

  1. For multi-tenant deployments, select any Organizations that you want to filter the results for.
  2. Click Search.

Related Links

Keywords and Operators for Simple Searches

Selecting Attributes for Structured Searches, Display Fields, and Rules

Creating a Structured Real Time Search

  1. Log in to your Supervisor node.
  2. Go to Analytics > Real Time Search.
  3. For Filter Criteria, select Structured.

The Conditions search window will open.

  1. Click the downward arrow in the search window to open the Conditions Alternatively you can click to use a saved Filter Criteria Set.
  2. Under Conditions, set the Attribute, Operator, and Value for your condition.

You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about using attributes in conditions.

  1. Click + under Row to add another condition, and set the Next Operator to use for that condition.

You can give precedence to conditions by setting parentheses around them with the + button under Paren.

  1. Click OK.

You can also click Save as Filter Criteria Set, and these conditions will be available for future searches by clicking next to the search window.

  1. Under Display Fields, select the attributes you want to use as the columns in your results list.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting attributes for devices and events to use as display fields.

  1. For multi-tenant deployments, select the Organization you want to run the search against.
  2. Click Search.

The results of your search will appear in the real time chart and results list.

Viewing and Refining Real Time Search Results

When your real time search runs, you will see the results represented as a scrolling chart across the top of the search results window, and as a scrolling list in the bottom of the window that include the raw event log information for events matching your search criteria. You can select items in the scrolling chart to use in historical search, view more information about individual items in the results list, and add attributes from your search results to your search filters or display fields.

Selecting Results for Historical Search

Viewing Information about Real Time Search Results

Adding Search Results to Search Filters. Watch Lists, or Display Fields

Selecting Results for Historical Search

  1. When you see a time interval of events that you want to use for historical search appear in the scrolling chart, click Pause or Stop.
  2. Hover your mouse cursor over the bar that represents the time interval until you see the time interval information appears, and then double-click on the bar.
  3. The time interval and Event Type will be added to the criteria for an historical search.

Complete the other criteria you want to use for the search as described in Historical Search.

Viewing Information about Real Time Search Results

  1. When you see an event appear in the search results list that you want more information about, click Pause or Stop.
  2. Select the event row and click Quick Info to view the Reporting IP, Event Type, Source IP, and Destination IP for that event.
  3. To view information about specific attributes of an event, click in the attribute display field and click Quick Info.

For attributes associated with devices, this will open the Quick Info view of the device as described Summary Dashboard User Interface Overview. For events types, it will show info such as the severity and device associated with the even type.

  1. To view information about a device’s location in the network topology, select it in the display field and then select Topology.

Adding Search Results to Search Filters. Watch Lists, or Display Fields

With a search result selected in the results list, click Filter to select event attributes to add to the search filter.

In the expanded Raw Events Log, click on items in the text string to include or exclude them as search filter criteria.

To add a specific result to the search criteria, in the results list, click on an item in a display field to open the options menu, and then select Add to Filter.

To add an IP address to a watch list, click on it to open the options menu, and then select Add to Watch List.

See Watch Lists for more information.

See the section on Selecting Attributes from the Raw Event Log Column in the Results Lists in the topic Selecting Attributes for Structured Searches and Display Fields for information on how you can view and select the attributes associated with events to use as search filters or display fields from the real time search results list.

 

 

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.