FortiSIEM Structured Search Operators

Structured Search Operators
Operator Meaning Allowed on

Event Attribute

Types or CMDB

Group

Example as seen in GUI
=, != Compares whether an attribute is exactly identical or not identical to a specified value All except DATE types Event Type = “PH_DEV_MON_SYS_CPU_UTIL”

Source IP != 10.1.1.1

>, >=, <, <= Compares whether an attribute is less or greater than a specified value Numeric types:

UINT16, UINT32,

UINT64, DOUBLE

CPU Util > 10
IN, NOT IN Determines whether an attribute belongs or does not belong to a set of values. For string valued attributes, the match is case insensitive. All except DATE type

Allows CMDB

Groups

System Event Category IN (3,6)

Event Type IN

(“PH_DEV_MON_SYS_CPU_UTIL”,”PH_DEV_MON_SYS_MEM_UTIL”)

Event Type IN (“PH_DEV_MON_SYS_CPU_UTIL”,Event Types:Login

Failure)

Source IP IN Devices:Windows, Devices:Unix

Destination IP IN Networks:VPN Pool

BETWEEN,

NOT

BETWEEN

Determines whether an attribute is between a range of values All except STRING types Source IP BETWEEN (10.1.1.1, 10.1.1.255)

CPU Util BETWEEN (20.0, 30.0)

Event Receive Time BETWEEN (18:35 03/17/2014, 18:35 03/26/2014)

IS (NULL),

IS NOT

(NULL)

Determines whether an attribute is present or not All types Host Name IS NOT NULL
CONTAINS,

NOT

CONTAINS

Determines whether a string valued attribute contains a specified sub-string.

For Raw Event Log – the sub-string has to contain the beginning of every word For all other string type attributes: the sub-string can be in any  position

STRING Event Type CONTAINS “DEV_MON” matches “PH_DEV_MON_CPU”

Event Type NOT CONTAINS “DEV_MON” does not matche “PH_DEV_MON_CPU”

Reporting Model CONTAINS “dows” matches “Microsoft Windows”

Reporting Model CONTAINS “soft win” matches “Microsoft Windows”

Raw Event Log CONTAINS “dows” does not match “Microsoft Windows”

Raw Event Log CONTAINS “microsoft win” matches “Microsoft Windows 2003”

(For more general patterns use regular expressions)

REGEXP,

NOT

REGEXP

Determines whether a string valued attribute matches a specified pattern. Raw message needs to be UTF-8 encoded. STRING Raw Event Log REGEXP “\d+.\d+\d+.\d+”

Event Type NOT REGEXP “PH_DEV_MON_.*” – match events with event types not beginning with PH_DEV_MON


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.