FortiSIEM Device Risk View of Incidents

Device Risk View of Incidents

Viewing Devices Sorted By Risk

  1. Go to Incident tab
  2. Set Group By to Host Risk Score.
  3. Left pane shows Devices Sorted By Risk
  4. Right pane shows incidents for the device selected in left panel

Calendar View of Incidents

The calendar view of incidents provides a summary view of the number of incidents that have occurred on a calendar day, grouped by severity. Clicking a group loads a summary of those incidents.

This screenshot shows the calendar view of incidents for the month of February 2015.

Fishbone View of Incidents

The fishbone view of incidents presents a view of networks and devices in those networks, along with the incidents triggered for those devices over the last 24. This view is derived from the Network Segments in the CMDB, with the devices associated with those segments overlaid. The numbers and colors for each device indicate the number and severity of incidents associated with that device.

Clicking on an incident  number will show you a summary of those incidents. Clicking on Last Seen, First Seen, Incident Name, or Incid ent Details in that summary will let you select Incident Details to view more information. Clicking on any IP addresses associated with the device will open a contextual menu that will let you find out more information about that device.

Clicking on an IP number or hostname in the fishbone view will let you view the Quick Info for that device, or you can select Topology to view it within the context of your network topology.

Hovering your mouse cursor over a device or incident number will show you the IP address and host name for that device, as well as the type of device.

This screenshot shows an example fishbone view of network segments, devices, and associated incidents.

Incident Notifications

The sending of notifications when an incident occurs is handled by Notification Policies, which you can see listed in the Analytics > Incident Notification Policies page. Instead of having notifications set for each rule, you can create a policy and have it apply to multiple rules.

When viewing the notification policies, think of  the columns on the page as representing a series of “If … and … then” statements that lead to the notification action. For example, you could read the table columns as a sentence:

“IF Incident Severity is X1 AND Rule is X2 AND Time Range is X3 AND Affected Items includes X4 AND Affected Organizations is X5, THEN take the actions specified in the ACTION column.”

When AccelOps evaluates whether a notification action should be triggered based on the notification conditions, it evaluates all notification policies, and will trigger the actions of all policies that meet the condition, instead of just the first policy that meets the conditions. This means that the order of policies in the list doesn’t matter, and that you can write policies with overlapping conditions that could also, for example, include different actions.

See also the topics under Incident Notification for more information about the methods that are available for sending notifications from AccelOps, including the AccelOps API.

Creating an Incident Notification Policy

Sending Email and SMS Notifications for Incidents

Customizing Email Templates for Notifications

Setting Scripts as Notification Actions

Example of a Windows Restart Script as a Notification Action Incident XML File Format

Viewing Incident Notification History


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos