FortiSIEM Selecting Attributes for Structured Searches, Display Fields, and Rules

Selecting Attributes for Structured Searches, Display Fields, and Rules

For both Real Time and Historical structured searches you have the option to to select event attributes to use in both your search and Group By fi lters, and as display fields in your result lists. Since AccelOps recognizes over 130,000 event attributes, the documentation and user interface provides several ways to find the attributes you want to use. These instructions show how to access the Common Attributes menu and the CMDB attribute browser through the Attributes in search conditions, but you can access the same functionality in the Display Fields menu for searches, and when you create a new rule. They also contain information on how you can access the attributes associated with reported events through the Raw Event Logs column of results lists.

The Event Dictionary and Master Attribute List

Selecting Attributes in the Common Attributes Menu

Selecting Event Attributes from the CMDB

Selecting Attributes from the Raw Events Log Column of the Results Lists

The Event Dictionary and Master Attribute List

This documentation includes an Event Dictionary that describes events and their attributes, and an attribute master list, which lists the primary event attributes and their data type, along with a brief description of what values AccelOps expects to see when that attribute information is returned.

Selecting Attributes in the Common Attributes Menu

This screenshot shows the Common Attributes menu open in the Conditions Builder for an Historical search. Open the menu by clicking the downward arrow next to an Attribute text field. You can scroll through the list of event attributes to select the one you want, or begin typing an attribute name and the menu will sort based on your entry.

Selecting Event Attributes from the CMDB

You also have the option to browse all the attributes listed in the CMDB to find the one that you want. These two screenshots show the CMDB attribute browser, which you can access by clicking next to the Attribute text field.

The first screenshot illustrates browsing the CMDB attributes based on Device Type and Feature Type: Availability, Change, Performance, Se curity, and All. In this example, Security has been selected for Feature Type, and Cisco IOS has been selected for Device Type. This loads all the security attributes associated with the Cisco IOS into the Attribute List.

The second screenshot illustrates browsing the CMDB Event Types to find an event attribute. In this example, Cisco ASA is selected for Device Type. Clicking in the Event Type window opens an Event Browser for the CMDB. Select any group in the browser, and you will see the event types within that group that are applicable to the Device Type you selected.

Selecting Attributes from the Raw Events Log Column of the Results Lists

All real time search results lists include a Raw Event Log column, and you can add a a Raw Event Log column to the list of results for historical searches. In addition to providing detailed information from the raw event logs, you can also use this column to view all the attributes associated with a reported event and add them to the display fields in your results list or to your filters for structured searches.

  1. Cilck in the Raw Event Log column of your results list to collapse the view.

The raw event log text will collapse into an information icon with a blue +.

  1. Click on the blue + icon to open the Event Details.

You will see the raw event log text and list of all the attributes associated with that event type.

  1. Select Filter or Display to add an attribute to the search filters or display fields for that search.
  2. Click X to close the Event Details window when you’re done making your selections.

 

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.