FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff
Article Id 194139

Description
This article describes how to identify and investigate why an incident is not triggered by a rule. 

 


Solution

Here is a step by step guide:

1. Identify the Rule that did not trigger and did not create an Incident.

2. Ensure the Rule is active, and active for the Organization(s), if relevant.

3. Assure that the Device involved is not in Maintenance mode (check Maintenance Calendar).

4. Check the value of Allow Incident Firing On (Admin > General Settings > Monitoring page).  If set to Approved Devices Only, then check in CMDB to make sure the device is Approved.

5. Review the sub-pattern conditions. 

6. Review any exceptions defined in the rule. 

7. Run a historical search with the EXACT same criteria and Group By as the rule sub-pattern conditions and for the time window that incident should have been created.

7.1 Check for any matched events.

7.2 Check if the required number of matched events correspond to the rule

8. If exceptions are defined, then rerun historical search from 7 ADDING the exclusion conditions to the criteria.

8.1 Check if there is any matched events.

8.2 Check for the number of matched events. Check if the queries return the required number of matched events from the rule.

8.3 Check if these matched events are within the time window of the rule.

9. Copy the original non-parsed "raw event" from an example event to the clipboard and use it to test the rule, using the Test Rule functionality (Note: this only works at Super level and with a rule that is inactive).

9.1    Does it pass the test and create an Incident.

10. If everything above supports that the rule should have fired and created an incident then create a support case and provide the following information:
  -  Raw event export from step 7
  -  Rule export XML
  -  Screenshot of any exceptions, if they are defined.
  -  Full AO logs from Super (and Workers if applicable)
10.1  See the related KB article bellow for more information.  

Related Articles

Technical Note: How to retrieve logs from FortiSIEM VA and deliver them to support

Contributors