FortiSIEM Rules Engine

Rule Conditions

• Rule conditions consist of several components, including aggregation, filter, group by, and time window.
• The aggregation condition specifies how to combine matching data.
• The group by condition allows the rules engine to identify specific events or patterns.
• The time window specifies the time period during which events must occur.

Components of a Rule Condition

• A sub-pattern is a specific component of a rule condition.
• The counter component counts the number of times a specific event occurred.
• The filter component is used to refine the search for specific events or patterns.

Building Rules in FortiSIEM

• When building rules, consider the following questions: What is the scenario you want to detect? What events are required to trigger the rule? What is the time period for the events to occur?
• The purpose of the advanced analytical rules engine is to detect complex scenarios and correlate events across multiple devices.
• Computing an expression means evaluating a mathematical operation or logical test on the event data.
• If a rule needs multiple events to be received before it triggers, it means the rule requires multiple events to occur within a specified time period.
• Aggregation operations can be performed on the results, such as sum, average, or count.
• Events should be allowed to occur within a specified time period, such as 1 hour or 1 day.
• Events will be part of a totally new incident if they do not match any existing incident.

Rule Triggering and Wizard

• The three-step wizard is used to build rules in FortiSIEM.
• An example of a condition that can be used to trigger a rule is "if 10 login failure events occur within 1 hour".
• The main function of FortiSIEM's advanced analytical rules engine is to detect complex scenarios and correlate events across multiple devices.