Scribd
Upload
20 views

FortiSIEM Analytics Cheatsheet

The FortiSIEM Analytics Cheatsheet outlines the key features of the Analytics function, which allows users to search for events based on various attributes and generate reports. It details the main components of analytics, including attribute search and group by/aggregation, and provides a table of commonly used event attributes with descriptions. Additionally, it explains the use of boolean operators for refining searches, offering examples for correct usage.

Uploaded by

Bryan Florenosos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
20 views

FortiSIEM Analytics Cheatsheet

The FortiSIEM Analytics Cheatsheet outlines the key features of the Analytics function, which allows users to search for events based on various attributes and generate reports. It details the main components of analytics, including attribute search and group by/aggregation, and provides a table of commonly used event attributes with descriptions. Additionally, it explains the use of boolean operators for refining searches, offering examples for correct usage.

Uploaded by

Bryan Florenosos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

FortiSIEM Analytics Cheatsheet

One of the features that we utilise the most in FortiSIEM is the Analytics feature. Through analytics,
we can search for events depending on one or multiple attributes which help us in investigating
certain events, users, IP addresses as well as create reports, whenever necessary.

Analytics can be divided into two main parts. That is the attribute search, where we can search for
events where certain attributes are matched, and the group by and aggregation where we can
specify which attributes from the search itself we want to be displayed, or we can perform actions
on the search results such as a count of all events matching specific attributes.

With that in mind, in order to perform precise and correct searches, we need to primarily know what
the event attributes mean. Below is a table of the most used/useful event attributes:

Attribute name Description

User ID UserID can be used to search for events relating to a specific user in the
organisation.

User User is practically the same as UserID. In some organisations one will be
used instead of the other. If unsure, you can try a search for UserID OR
User

Source IP Source IP is the IP address from which the event started/occurred.

Destination IP Destination IP is the IP address which the event attempted to reach.

Reporting IP Reporting IP is the IP address of the device that is reporting the event to
FortiSIEM. This could be a firewall, server, collector etc.

Event Type This specifies the type of event that occurred. This is dependant on the
device from which the event originated. For example, windows security
events will always look like win-security-xxxx.

Event Name This specifies the name of the event that occurred. Basically, it is a
simplification of the Event Type attribute.

Report Device The name of the device that reported the event.

Host Name The name of the device from which the event originated.

Raw Event Logs Raw event logs is referring to the logs as the FortiSIEM received them,
without being parsed.

Event Receive Time The time when the event was received by the FortiSIEM collector.
When doing an analytics search with multiple event attributes, you can use the AND and OR
operators between them. You use “AND” when you want the value of both the attributes that you
have added to be true, “OR” is used when you want one or the other to be true for the results.

It is also important to use the correct boolean operator when performing a search, or in other
words, you need to know if the value is the exact one, should be in a group, is something the
attribute would contain etc.

Here are a few examples of correct usage for boolean operators:

- If we are searching for activity regarding the user “majstor” we would add User or User ID as
the attribute, “=” as the boolean operator and “majstor” as the value. Accordingly, if we
want to search activity for every user apart from the user “majstor” we can use the “!=”
operator.
- If we are searching for logs where the source IP is in a specific IP range, we would use the
“IN” operator instead of “=” since we do not know the exact value for the source IP. If we
want to search for logs for source IPs out of that range we can use the “NOT IN” operator.
- The operators “IS” and “IS NOT” can only have a value of “NULL”. If we know that a certain
attribute will have a value, but we are uncertain what that value will be, we can use the “IS
NOT” operator with the value “NULL”.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy