Defining Rule Exceptions

Once you activate a rule, it continuously monitors your IT infrastructure for conditions that would trigger an event. However, you may also want to define exceptions to those conditions. For example, you may know that a server will be going down for maintenance during a specific time period and you don’t want your Server Down – No Ping Response rule to trigger an incident for it.

1. In Analytics > Rules, select the rule you want to add the exception to, and click Edit.
2. Next to Exceptions, click Edit.
3. Select an Attribute and Operator, and enter a Value, for the conditions that will prevent an incident from being generated.

The values in the Attribute menu are from the Event Attributes associated with the incident definition.

4. Click the + icon to set an effective time period for the exception.

You can set effective time periods for single and recurring events, and for durations of time from hours to days.

5. Enter any Notes about the exception.

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Defining the Incident Generated by a Rule

Defining an incident involves setting attributes for the incident based on the subpatterns you created as conditions for the rule, and then setting attributes for the incident that will be used in analytics and reports.

1. In the rule you want to define an incident for, click Edit next to Actions: Generate Incident.
2. Enter an Incident Name, Display Name, and Description.
3. Under Incident Attributes, you will define attributes for the incident based on the Group By and Aggregate Conditions attributes you set for your sub patterns. Typically you will set the Incident attributes to be the same as the Group by attributes in the subpattern. a. Select the Event Attribute you want to add to Incident.
   1. Select a Subpattern.
   2. This will populate values from the Group By attributes in the subpattern to the Filter Attribute
   3. In the Filter menu, select the attribute you want to set as equivalent to the Event Attribute.
4. Under Triggered Event Attributes, select the attributes from the triggering events that you want to include in dashboards and analytics for this event.

This is pre-populated with typical attributes you would want included in an incident report.

5. Click OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Rules

FortiSIEM continuously monitors your IT infrastructure and provides you with information you can use to analyze performance, availability, and security. There may also be situations in which you want to receive alerts when exceptional, suspicious, or potential failure conditions arise. You can accomplish this by using rules that define the conditions to watch out for, and which trigger an incident when those conditions arise. This incident will appear on the Incident Summary dashboard, and you can also configure a notification policy that will send email and SNMP alerts that the incident has occurred. FortiSIEM includes over 500 system-defined rules, which you can see in Analytics > Rules, but you can also create your own rules as described in the topics in this section.

Creating Rules

FortiSIEM constantly monitors your IT infrastructure for events and collects information about them, but you can also set rules that will trigger incidents from events and send notifications when they occur. These topics describe the concepts and processes for creating rules.

Creating a Rule

Defining Rule Conditions

Example of a Rule with a Single Condition Sub-Pattern

Example of a Rule with Multiple Sub-Patterns

Defining the Incident Generated by a Rule

Defining Rule Exceptions

Defining Clear Conditions Testing a Rule

Creating a Rule

Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the triggering conditions and any exceptions or clear conditions.

2. Go to Analytics > Rules.
3. Select the group where you want to add the new rule.
4. Click New.
5. Enter a Rule Name and Description.
6. For Status, keep the rule Inactive.

You can activate the rule after you’re finished creating and testing it.

7. Select an Incident Category for the incident triggered by the rule.

You can click Add and enter a custom incident category.

8. Select a Severity to associate with the incident triggered by the rule.
9. Select Update the Perf Status column on summary dashboard if you want the incident to display in the Performance Status column of the Exec Summary
10. For Attributes, enter the functional area, such as Security, that you want to associate the rule with.
11. Enter a Notification Frequency for how often you want notifications to be sent when an incident is triggered by this rule.
12. Under Conditions, click Add Subpattern to create the rule conditions.

See Defining Rule Conditions for detailed information on selecting event and aggregation attributes to use with rules. You can also see examples of rules with a single subpattern and multiple sub patterns.

13. Enter the time interval during which the rule conditions will apply.

The minimal interval is 120 seconds.

14. Next to Actions, click Edit to define the incident that will be generated by this rule.

See Defining the Incident Generated by a Rule for more information.

15. Next to Watch Lists, click Edit to add a watch list to the rule.

See Adding a Watch List to a Rule for more information.

16. If you want to define any Exceptions for the rule, click Edit. See Defining Rule Exceptions for more information.
17. If you want to define any Clear Conditions for the rule, click Edit.

See Defining Clear Conditions for more information.

18. Click Save.

Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it.

 

Defining Rule Conditions

Rule conditions define the event attributes and thresholds that will trigger an incident. Rule conditions are built from sub-patterns of event attribute filters and aggregation functions. You can specify more than one subpattern and the relationships and constraints between them.

Setting the Relationship between Subpatterns

Setting Inter-subpattern Constraints

Examples of inter-subpattern relationships and constraints

Specifying a Subpattern

A subpattern defines the characteristics of events that will cause a rule to trigger an incident. A subpattern involves defining event attributes that will be monitored, and then defining the threshold values for aggregations of event attributes that will trigger an incident.

Example of a rule with a single subpatten

This screenshot shows an example of a subpattern with a single event filter and a single event aggregation condition. Expressed as a sentence, this rule would be “When there are more than three events on a single Host IP where average CPU utlization is equal to 95%, trigger an incident.”

 

Event Filters

Event filter criteria determine which event attributes and values will be monitored by the rule, and are set in a way that is similar to the way you set event attributes for structured historical searches and real time searches. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on finding attributes to use in your event filters.

Event Aggregation

While you could have a rule that triggers an incident on a single instance of a particular event, it is more likely that you will want your rule to trigger an incident when some number of events have been found that meet your event filter criteria.

Group By Attributes

This determines which event attributes will be used to group the events before the group constraints are applied, in a way that is similar to the way the Group By attribute is used to aggregate the results of structured searches. Aggregate Conditions

The group aggregation conditions set the threshold at which some aggregation of events will trigger a rule to create an incident. You create an aggregation condition by using the Expression Builder to set a function, and then enter the Operator and Value for the aggregation condition. Examples of Group By and Aggregate Conditions Settings

Scenario	Group By Attributes	Aggregate Conditions
10 or more events	none	COUNT(Matched events) >= 10
Connections to 100 or more distinct destination IPs from the same source IP	Source IP	COUNT (DISTINCT Destination IP) >= 100
Connections to 100 or more distinct destination IPs from the same source IP on the same destination port	Source IP, Destina tion Port	COUNT (DISTINCT destination IP) >= 100
Average CPU Utilization on the same server > 95% over 3 samples	Host IP	COUNT (Matched Events) >= 3 AND AVG(CPU Util) > 95
Logins from the same source workstation to 5 or more accounts on the same target server	Source IP, Destina tion IP	COUNT(DISTINCT user) >= 5

Setting the Relationship between Subpatterns

Example of a rule with multiple subpatterns

If you have more than one sub-pattern, you must specify the relationship between them with these operators.

Operator	Meaning
AND	Sub-pattern P1 AND Sub-pattern P2 means both sub-patterns P1 and P2 have to occur
OR	Sub-pattern P1 OR Sub-pattern P2 means either P1 or P2 have to occur
FOLLOWED-BY	Sub-pattern P1 FOLLOWED-BY Sub-pattern P2 means P1 has to be followed by P2 in time
AND-NOT	Sub-pattern P1 AND-NOT Sub-pattern P2 means P1 must occur while P2 must not; the time order between P1 and P2 is not important
NOT-FOLLOWED-BY	Sub-pattern P1 NOT-FOLLOWED-BY P2 means P1 must occur and P2 must not occur after P1

Setting Inter-subpattern Constraints

You may want to relate attributes of a sub-pattern to the corresponding attributes of another sub-pattern, in a way that is similar to a JOIN operation in an SQL, by using the relationship operators  <, >, <=, >=, =, !=. Examples of inter-subpattern relationships and constraints

Scenario	Sub-pattern P1 – filter	P1 – Group-by attribute set	P1 Group constraint	Sub-pattern P2 filter	P2-group-by attribute	P2 group constraint	Inter-P1-P2 relationships	Inter-P1-P2 constraints
5 login failures from the same source to a server not followed by a successful logon from the same source to the same server	Event type = Login Success	Source IP, Destination IP	COUNT (Matched Event) >= 5	Event type = Login failure	Source IP, Destination IP	COUNT(Matched Event) > 0	P1 NOT_FOLLOWED_BY P2	P1’s Source IP = P2’s Source IP
An security attack to a server followed by the server scanning the network, that is, attempting to communicate to 100 distinct destination IP addresses in 5 minute time windows	Event type = Attack	Destination IP	COUNT (Matched Event) > 0	Event Type = Connection Attempted	Source IP	COUNT (DISTINCT Destination IP) > 100	P1 FOLLOWED_BY P2	P1’s Destination IP = P2’s Source IP
Average CPU > 95% over 3 sample on a server AND Ping loss > 75%	Event Type = CPU_Stat	Host IP	COUNT(Matched Event) >= 3 AND AVG(cpuUtil) > 95	Event Type = PING Stat	Host IP	pingLossPct > 75	P1 AND P2	P1’s Host IP = P2’s Host IP

Example of a Rule with a Single Condition Sub-Pattern

This topic shows an example of how to create a rule with a single sub-pattern based on the condition that Average CPU on a server is more than 95% over 3 sample measurements.

Attribute	Group By Attribute	Aggregate Conditions
Avg CPU Util	Host IP	COUNT (Matched Event) >= 3

1. For Rule Name, enter Hi Avg CPU.
2. For Description enter Average CPU on a server is more than 95% over 3 sample measurements.
3. For Severity, select 9 – High.
4. For Attributes, select All.
5. Set the Notification Frequency for 1 Hour.
6. Next to Conditions, click Add Subpattern.
7. For Subpattern Name, enter Pattern 1.
8. Under Filters, set these options:

Option	Setting
Attribute	Avg CPU Util
Operator	>=
Value	95

 

9. Under Aggregate Conditions, click the Expression Builder icon next to the Attribute field, select COUNT(Matched Events) from the Add Function menu, and then click OK.
10. Under Aggregate Conditions, select = for Operator and enter 3 for Value.
11. Under Group By, select Host IP.
12. Click Save.
13. Enter 5 for the time interval during which the conditions will apply.
14. You would now complete the rule by Defining the Incident Generated by a Rule, and any exceptions or clear conditions. You could also a ssociate it with a notification policy.

This screenshot shows the subpattern settings for this example.

 

 

 

 

 

 

 

The following steps describe how to create a rule that matches the above example 1:

1. Enter a name for the rule in the ‘Rule Name’ text box.
2. Enter a description for the rule in the ‘Description’ text box.
3. Use the drop down menu to choose a ‘Severity’ for the rule.
4. Click on the ‘+ Add Condition’ button.
   1. Chose the ‘Function’ for the rule. In this case ‘AVG’ is chosen.
   2. Choose the ‘Attribute’ for the rule. In this case ‘CPU Util’ is chosen.
   3. Chose the ‘Operator’ for the rule. In this case ‘>=’ is chosen.
   4. Enter the ‘Value’ for the rule. In this case ’95’ is entered.
5. Select the devices to apply the rule to.
6. Enter the number of events that must occur for the rule to fire. In this case ‘3’ is used.
7. Enter the time frame for the rule. In this case ‘600’ seconds is used.

 

Example of a Rule with Multiple Sub-Patterns

This topic provides an example of a rule with two sub-patterns, and also how to use the Event Type attribute as a filter.

Rule Conditions

Creating Sub-Pattern P1

Creating Sub-Pattern P2

Defining the Relationship Between Patterns

Defining the Incident to be Generated by the Rule

Rule Conditions

The purpose of this rule is to trigger an incident when five login failures from the same source to a server are not followed by a successful login from the same source to the same server within one hour. This requires two sub-patterns, the first one to detect “five login failures from the same source to a server,” and a second one to detect “a successful logon from the same source to the same server.” The two sub-patterns need to be interrelated to make the complete rule.

Sub-pattern 1 (P1)

Event Filter Attribute	Group By Attributes	Aggregate Conditions
Event type = Logon Failure	Source IP, Destination IP	COUNT (Matched Event) >= 5

Sub-pattern 2 (P2)

Event Filter Attribute	Group By Attributes	Aggregate Conditions
Event type = Logon Success	Source IP, Destination IP	COUNT(Matched Event) > 0

P1/P2 Interrelationships and Constraints

Interrelationships	Constraints
P1 NOT_FOLLOWED_BY P2	P1’s Source IP = P2’s Source IP, P1’s Destination IP = P2’s Destination IP

Creating Sub-Pattern P1

The following steps describe how to create a rule that matches the above example 2:

1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Click New.
4. For Rule Name, enter Suspicious Login Failure.
5. For Description, enter the rule conditions stated in the introduction to this topic.
6. For Severity, select 10 – High.
7. For Attributes, select All.
8. Next to Conditions, click Add Subpattern.

You will now create the first subpattern for “five login failures from the same source to a server.”.

9. For Subpattern Name, enter LogonFailures.

To create this sub pattern you will want to specify that all types of logon failures should be monitored. For this reason, you will want to specify an entire folder of event types as the rule condition, rather than a single attribute of a event.

10. For Attribute, select Event Type.
11. For Operator, select IN.
12. For Value, click … to open the CMDB Browser.
13. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
14. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
15. For Operator, enter >=.
16. For Value, enter 5.
17. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
18. Enter Destination IP.
19. Click Save.

This screenshot shows the complete entry for sub-pattern P1.

Creating Sub-Pattern P2

1. In your rule, next to Conditions, click Add Subpattern.
2. For Subpattern Name, enter LogonSuccess.
3. For Attribute, select Event Type.
4. For Operator, select IN.
5. For Value, click … to open the CMDB Browser.

This button only becomes active if you select Event Type as an attribute.

6. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as “For any type of event in the Logon Failure event group . . .”
7. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched Events).
8. For Operator, enter >.
9. For Value, enter 0.
10. Under Group By, enter Source IP for Attribute, and then click + to add another Group By
11. Enter Destination IP.
12. Click Save.

This screenshot shows the complete entry for sub-pattern P2.

Defining the Relationship Between Patterns

You will now see both of your sub-patterns listed under the Conditions for your rule definition.

1. Makes sure that LogonFailures is selected as the first pattern under If this Pattern occurs, and under Next Op, select NOT_FOLLOW ED_BY.
2. Select LoginSuccess as the second subpattern.
3. Click AddSubpattern Relationship.
4. For the first relationship definition, select LogonFailures for Subpattern, Source IP for Attribute, and = for Operator.
5. For the second subpattern, select LogonSuccess for Subpattern, Source IP for Attribute, and AND for Next Op.
6. Under Row, click +.
7. For the second relationship definition, for the first subpattern, select LogonFailure for Subpattern, Destination IP for Attribute, and = fo r Operator.
8. For the second subpattern, select LogonSuccess for Subpattern, and Destination IP for

This screenshot shows the full pattern and relationship definition for the two subpatterns.

Defining the Incident to be Generated by the Rule

1. In your rule definition, click Edit next to Generate Incident.
2. For Incident Name, enter Suspicious_Login_Failure.
3. Under Incident Attributes, select Source IP for Event Attribute, LoginFailures for Subpattern, and Source IP for Filter Attribute.
4. Under Row, click +.
5. For the second incident attribute, select Destination IP for Event Attribute, LoginFailures for Subpattern, and Destination IP for Filter Attribute.
6. Under Triggered Event Attributes, make sure that Event Receive Time, Event Type, Reporting IP, and Raw Event Log are listed in the Selected Attributes.
7. Click OK.

This screenshot shows the complete Incident Definition.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Filter Criteria and Display Column Sets

When you create searches, you have the option to select saved filter criteria and column sets to use. This topic describes how to create those sets.

1. Log in to your Supervisor node.
2. In the Analytics tab, select either Display Column Sets or Filter Criteria Sets, depending the type of set you want to create.
3. Click New.
4. Add the filter criteria or display columns that you want to the set.

See Using Expressions in Structured Searches and Selecting Attributes for Structured Searches and Display Fields for more information about building searches and display columns.

5. Click Save.

You set will be saved to the list of sets, and you will be able to use it in searches by clicking the … button next to the Filter Criteria text field in structured searches or the Display Columns menu for both structured and simple searches.

Related Links

Using Expressions in Structured Searches and Rules

Selecting Attributes for Structured Searches, Display Fields, and Rules

 

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using Geolocation Attributes in Searches and Search Results

When you view the results of a search, you will see that IP address fields in the results, such as Source IP or Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic describes the geolocation information that is associated with event attributes, and provides examples of how to use this information in searches and search results.

Event and Geolocation Attributes

Using Geolocation Attributes in Searches

Viewing Geographic Locations from Search Results

Event and Geolocation Attributes

The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that you can use in search queries and as display fields in search results. In Incident Reports you may also see country flags included with IP addresses for Incident Source and Incid ent Target, which have the same geolocation attributes as Source IP and Destination IP.

Event Attribute	Geolocation Attributes
Source IP	Source Country Source City Source State Source Organization Source Longitude Source Latitude
Destination IP	Destination Country Destination City Destination State Destination Organization Destination Longitude Destination Latitude
Host IP	Host Country Host City Host State Host Organization Host Longitude Host Latitude
Reporting IP	Reporting Country Reporting City Reporting State Reporting Organization Reporting Longitude Reporting Latitude

Using Geolocation Attributes in Searches

You can use geolocation attributes in both real time and historical structured searches. For example, setting a search attribute to Source Country != United States will remove all Source IPs with a geolocation of United States from the search results.

This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the search criteria. The Source IP display field contains only IP addresses associated with countries other than the United States, as indicated by the national flags next to each IP address in the Source IP column.

If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the results will include name information for that attribute, rather than a national flag.

This screenshot shows the results of the same query used previously, but with Group By = Source Country.

Viewing Geographic Locations from Search Results

If your search results contain geographic information, click the Locations button to view that information on a map.

This screenshot shows the results for the first example query presented in a map. Clicking on a number in the map will provide you with an overview of incidents for that location.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Keywords and Operators for Simple Searches

Both historical and real time searches have a simple search option that searches for keywords in the raw ASCII tex of event logs. You can use operators in your keyword searches to combine terms or create simple search filters.

Keyword Operators

Examples of Using Keyword Search Operators

Quotes and Backslash Characters in Search Terms

Keyword Operators

You can use the operators AND, OR, AND NOT between keywords. If you enter more than one keyword, then AND is assumed as the operator between them. You can also use parentheses () to change the precedence of the operators.

Examples of Using Keyword Search Operators

Search String	Results
TCP	Finds all events with TCP in the event logs
TCP 80	Finds all events with TCP and 80 in the event logs
TCP AND (80 OR 443)	Finds all events with TCP and 80 or 40 in the event logs
TCP AND NOT 80	Finds all events with TCP but not 80

Quotes and Backslash Characters in Search Terms

If the search string contains quotation marks or back-slash characters, you must escape them by prefixing them with a backslash character. For example, if you wanted to search for [location]=”United States” then you would need to enter [location]=\”United States\” as your search string.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using Expressions in Structured Searches and Rules

An expression can contain a single event attribute, multiple attributes, or functions that contain an event attribute as their argument. You can also use parentheses and arithmetic operators to form complex expressions.

You can enter an expression manually, paste it in, or build it dynamically using the Expression Builder. If you use the Expression Builder, you will have to enter parentheses or arithmetic operators in the expression.

The Expression Builder

Creating Expressions

Adding a Function

Filter Condition Functions

Aggregation Condition Functions

The Expression Builder

You can access the Expression Builder by clicking the e icon next to the Attribute or Value field when creating a structured search or rule.

This screenshot shows the Expression Builder open for creating a rule.

Creating Expressions

Adding a Function

To add a function to the expression, select it from the Add Function menu, and then click the + icon. The available functions depend on whether you are are creating an expression to use as part of a filter condition for a search or rule, or as part of the aggregation conditions for a rule.

Selecting Function-Specific Attributes

When you select any type of function, the function and a set of parentheses will be added to the expression. If you place your cursor within the parentheses and then open the Event Attribute menu, you will see event attributes that are relevant for that function. For example, if you select COUNT as the function, (MATCHED ITEMS) will automatically appear between the parentheses, and will be selected in the Event Attribute menu. If you select a function like AVG for an aggregation condition, you will see options such as CPU UTIL and Apache Uptime. If you select a function like HourOfDay for a filter condition, you will see options like Access Time and Vul nerable Since. You can search through the options in either situation by beginning to type a keyword in the Event Attribute menu. Sele cting Attributes for Structured Searches, Display Fields, and Rules has more information about ways to search for and select event attributes.

Filter Condition Functions

If you select HourOfDay or DayOfWeek for the function, the Event Attributes menu will contain date and time-related event attributes, while if you select DeviceToCMDBAttr, it will contain device-related attributes.

Function	Description
HourOfDay	Specify an hour of the day in the condition
DayOfWeek	Specify a day of the week in the condition
DeviceToCMDBAttr	If you add the DeviceToCMDBAttr() function to the expression, the first argument must be an event attribute, and the second argument must be a CMDB attribute, which you can select using the CMDB Attribute menu. The DeviceToCMDBAttr function is used to create expressions for per-device thresholds.

This screenshot shows the beginning of creating an expression to use as the Attribute in a condition for an historical search. HourOfDay is selected as the Function, and Access Time is selected as the Event Attribute.

Aggregation Condition Functions

You use these functions to perform operations on numerical event attributes such as Sent Bytes, Received Bytes, CPU Utilization, or Memory Utilization.

Function	Description
Count	Count the number of items returned
Count Distinct	Count the number of distinct items returned
Sum	Add the numbers
Average	Average the numbers
Min	The lowest number
Max	The highest number
Last	The last number
First	The first number
Pctile95	The 95th percentile
PctChange	Percentage change
STAT_AVG	Statistical average. This function is used in conjunction with creating baseline reports.
STAT_STDDEV	Statistical standard deviation. This function is used in conjunction with creating baseline reports .

This screenshot shows the beginning of creating an expression to use as an aggregation condition in rule. Max is selected as the Function, and CPU Util is selected as the Event Attribute.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Selecting Attributes for Structured Searches, Display Fields, and Rules

For both Real Time and Historical structured searches you have the option to to select event attributes to use in both your search and Group By fi lters, and as display fields in your result lists. Since AccelOps recognizes over 130,000 event attributes, the documentation and user interface provides several ways to find the attributes you want to use. These instructions show how to access the Common Attributes menu and the CMDB attribute browser through the Attributes in search conditions, but you can access the same functionality in the Display Fields menu for searches, and when you create a new rule. They also contain information on how you can access the attributes associated with reported events through the Raw Event Logs column of results lists.

The Event Dictionary and Master Attribute List

Selecting Attributes in the Common Attributes Menu

Selecting Event Attributes from the CMDB

Selecting Attributes from the Raw Events Log Column of the Results Lists

The Event Dictionary and Master Attribute List

This documentation includes an Event Dictionary that describes events and their attributes, and an attribute master list, which lists the primary event attributes and their data type, along with a brief description of what values AccelOps expects to see when that attribute information is returned.

Selecting Attributes in the Common Attributes Menu

This screenshot shows the Common Attributes menu open in the Conditions Builder for an Historical search. Open the menu by clicking the downward arrow next to an Attribute text field. You can scroll through the list of event attributes to select the one you want, or begin typing an attribute name and the menu will sort based on your entry.

Selecting Event Attributes from the CMDB

You also have the option to browse all the attributes listed in the CMDB to find the one that you want. These two screenshots show the CMDB attribute browser, which you can access by clicking … next to the Attribute text field.

The first screenshot illustrates browsing the CMDB attributes based on Device Type and Feature Type: Availability, Change, Performance, Se curity, and All. In this example, Security has been selected for Feature Type, and Cisco IOS has been selected for Device Type. This loads all the security attributes associated with the Cisco IOS into the Attribute List.

The second screenshot illustrates browsing the CMDB Event Types to find an event attribute. In this example, Cisco ASA is selected for Device Type. Clicking in the Event Type window opens an Event Browser for the CMDB. Select any group in the browser, and you will see the event types within that group that are applicable to the Device Type you selected.

Selecting Attributes from the Raw Events Log Column of the Results Lists

All real time search results lists include a Raw Event Log column, and you can add a a Raw Event Log column to the list of results for historical searches. In addition to providing detailed information from the raw event logs, you can also use this column to view all the attributes associated with a reported event and add them to the display fields in your results list or to your filters for structured searches.

1. Cilck in the Raw Event Log column of your results list to collapse the view.

The raw event log text will collapse into an information icon with a blue +.

2. Click on the blue + icon to open the Event Details.

You will see the raw event log text and list of all the attributes associated with that event type.

3. Select Filter or Display to add an attribute to the search filters or display fields for that search.
4. Click X to close the Event Details window when you’re done making your selections.

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!