Help
FortiSIEM Discussions
sioannou
Contributor

Created on ‎11-16-2023 12:08 AM

Debugging Rules on FortiSIEM

Hi all, 

 

Just checking if someone is aware of a method for debugging SIEM rules when they trigger. 

 

We have been through the testing, replay logs in a controlled environment and testing variations of the matching conditions but in production we still see the rule being triggered while the conditions match only one of the Multiple Subpattern Rules and the rule triggers (Note: The multiple subpatterns NEXT operator is bonded with AND/AND_NOT). We see the logs all arriving within the specified time window but we still get the trigger. 

Is anyone aware of a debug command or a way we can debug the rule in actual production environment. We have checked phoenix.log in both glassfish and /opt/phoenix/ but it is only informational that the rule has triggered, no details on the conditions. 

 

My fear is that this is a race condition issue. 

 

Thanks,

 

Sotiris 

512
0 Kudos
4 REPLIES 4
Goutham_FTNT
Staff
Staff

Created on ‎11-16-2023 01:39 AM

Hi Sotiris,

Do you find this issue on any specific version ?
Noticed only for customer rules ?
There is a way you can check the subpattern match before enabling the rule . You can go to Resource > Rules > Edit the rule > Define Condition > Edit the subpattern > Run as Query (Provide the time range)  - This should return only matching conditions , check if you find the same behavior where the you get results for OR instead of AND

You can also enable DEBUG for phRuleWorker and phRuleMaster (phtools --change-log phRuleWorker DEBUG ; phtools --change-log phRuleMaster DEBUG) - After capturing the logs please make sure you put the log level to INFO (Same command replace DEBUG to INFO)

If you get the same behavior on the queries as well then need to deep dive

Regards,

Goutham 

490
sioannou
Contributor

Created on ‎11-16-2023 02:26 AM

Hi Goutham, 

 

Thank you for your response, yes we have tried the Run as Query and the behaviour is as expected. I will ask the team to try the debug option in the lab and let you know. 

 

Regards, 

 

Sotiris

485
0 Kudos
cdurkin_FTNT
Staff
Staff

Created on ‎11-16-2023 05:57 AM

Can you provide the rule and sanitized sample raw events?

 

477
0 Kudos
sioannou
Contributor
In response to cdurkin_FTNT

Created on ‎11-17-2023 03:12 AM

Hi, 

 

We have raised a support request. In discussion with the support team at FTN. 

 

Thanks,

 

Sotiris

467
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.