FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FortiKoala
Staff
Staff
Article Id 189528
Description

My policies are noisy - what can I do


Scope

Hints and Tips


Solution



This article demonstrates how to identify noisy alerts which may not be relevant within your ZoneFox policies, in order to refine the data you are seeing and ensure that the alerts fired are relevant to you.





1. Find the policy you want to fine tune


In this example, we’ll use the Software Install policy.  Add this policy to your search bar on the Policy Alerts page;







2. Take a look at the Entities Summary Tab to see if there are any applications with a high number of alerts, particularly those that we know we are not interested in alerting on.  We can see that the application wsp.exe has a very high number of alerts in this example;

 





3. Add wsp.exe to your search to take a look at the specific alerts being fired for that application;





4. There are a large number of alerts being fired by a particular resource (see image below).  From further analysis, we can tell that this is part of our endpoint protection service, and not something we need to be alerted on.  







5. To fine tune our policy and prevent this application from generating future alerts, copy the application name (right click and Copy to Clipboard), then navigate to the Policy screen.


Select the policy you wish to fine tune (in this case, the Software Install policy) and navigate to the ‘Policy to Build’ section. In this case our Policy already has an excluded list of applications, you may need to add an exclusion list to the policy your are tuning. Past the application name (wsp.exe) into the search query, so that it is on the list of applications which are excluded from your search.  



This policy will now no longer fire alerts based on this application, and as a result the policy is more focused on the data you are interested in seeing, without unnecessary noise.





This fine tuning approach can also be used to exclude particular file names, users, folders, or combinations of these,  if they are not relevant to the alerts you want generated by your policy. 


In this way, the basic process to policy tuning is to,


  • Identify alerts which you are not interested in

  • Derive criteria for these unwanted alerts (which may be a single attribute such as user, application, resource, activity, etc. or a logical combination of these)

  • Add exclusions to the Search query of the relevant Policy (using the NOT operator) to omit these events from those that match the policy and hence trigger alerts.



Contributors