Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.9.0
    2024.10.0
    2024.9.0
    2024.7.0

    Creating queries with Private Search

    Creating queries with Private Search

    Privately search and iterate over recent events. You can quickly modify and re-run the queries. You can use a query in Private Search to create a new detection rule or investigation, or use the query in an existing investigation.

    To perform a search:

    1. Go to Investigations > Private Search.

    2. Click the Search tab.

    3. Enter the query in the search box using one of the following options:
      • Enter the IQL query in the Search field. By default, you can view the results of the events that occurred in the last 24 hours.
      • Click an example search string to add it to the Search field.

    4. Configure the search settings.
      Date range

      Use the date picker to configure the date range or select Last Hour, Last 24 Hours, or Last 7 days and click Apply.

      You can select any time period within the last 365 days as long as it is limited to seven days.

      Sort by timestamp

      Select Ascending or Descending.

      Retrieve up to xxx Rows

      Select 100, 500 or 1,000 rows.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select and investigation.

      Enable FacetsSelect to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

      Adhoc Search

    5. Click Search.

    To move Private Search queries to Investigations:

    1. Click Investigations > Private Search.

    2. Click the Private Search tab.
      To move a query

      Click the Actions menu at the end of the row and select Move to an Investigation.

      To move multiple queries
      1. Click the Edit button and select the queries to be moved.

      2. Click Actions > Move to an Investigation .

    3. Create a new investigation or add the query to an existing investigation.
      Create a New Investigation

      Select this option to create a new investigation. Enter the Investigation Name and Description.

      The default name for new investigations is the first and last name of the user creating the investigation as well as a date stamp of when the investigation was created.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select and investigation.

    4. Click Move.

    To delete queries in the Private Search tab:
    1. Click Investigations > Private Search.
    2. Click the Private Search tab.
      To delete a query

      Click the Actions menu at the end of the row and select Delete Query.

      To delete multiple queries
      1. Click the Edit button and select the queries to be deleted.

      2. Click Actions > Delete Query .

    3. In the confirmation dialog, click Confirm.
    To create a detection from an adhoc query:

    1. Click the Private Search tab.

    2. Click the Actions menu at the end of the row and click Create Detection.The Create A Detection Rule page opens.

    3. Configure the detection rule and click Save Rule.

      Detection Rule Query

      You have the option of selecting a new query or using the query parameters the results are based on.

      • The query field displays the facet filters used in the query.
      • Click Select a new Query to select a saved query or a query from your history.
      Impacted Device IP can appear in the fields

      Click Change Fields to select the specific fields you want to use to generate a detection. By default, any internal IP address in the src.ip or dst.ip fields will be used to generate detections.

      Indicators are captured in the fields

      Click Change Fields to add or remove an Indicator Field for a rule. You can choose up to five fields.

      Name Enter a name for the detection rule query.
      Severity Select High, Moderate or Low from the dropdown list.
      Confidence Select High, Moderate or Low from the dropdown list.
      Category Select the rule category from the dropdown list.
      Primary TechniqueSelect the Primary Technique from the dropdown list.
      Secondary TechniqueSelect the Secondary Technique from the dropdown list.
      SpecificitySelect Campaign, Tool Implementation, Procedure, Technique, or Tactic from the dropdown.
      Description Enter a description of the new detection rule.
      Run on Accounts

      Click Manage Run List to choose which accounts the new rule should run in.. In the dialog that opens, choose an account and click Save.

      This is applicable only if you have access to multiple accounts. For example, if your organization acquired another organization, once you deploy sensors in their network, it might be easier to ingest that data into a separate account and give your team access to it. If you were to write a rule targeting specific subnets in your account, that rule wouldn't be applicable to the acquired company's network, so you would only want to deploy it in your account.

      Data Sources

      Enable Zeek, Fortinet, Suricata, or Zscaler.

      Resolution Settings
      Resolution StyleSelect Auto or Manual.
      Automatic Resolution PeriodSelect between 6 hours and 1 Month. The default is 1 Week.
    To save a query:
    1. Click the Private Search tab.

    2. Click the Actions menu at the end of the row and click Add to Saved Queries.The Save Query dialog opens.

    3. Enter the query details and click Save.
      Query NameEnter a name for the query.
      Search QueryThis field cannot be edited.
      DescriptionEnter a description of the query.
    Tooltip

    You can use a saved query when you create a new rule or investigation.

    Previous
    Next

    Creating queries with Private Search

    Creating queries with Private Search

    Privately search and iterate over recent events. You can quickly modify and re-run the queries. You can use a query in Private Search to create a new detection rule or investigation, or use the query in an existing investigation.

    To perform a search:

    1. Go to Investigations > Private Search.

    2. Click the Search tab.

    3. Enter the query in the search box using one of the following options:
      • Enter the IQL query in the Search field. By default, you can view the results of the events that occurred in the last 24 hours.
      • Click an example search string to add it to the Search field.

    4. Configure the search settings.
      Date range

      Use the date picker to configure the date range or select Last Hour, Last 24 Hours, or Last 7 days and click Apply.

      You can select any time period within the last 365 days as long as it is limited to seven days.

      Sort by timestamp

      Select Ascending or Descending.

      Retrieve up to xxx Rows

      Select 100, 500 or 1,000 rows.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select and investigation.

      Enable FacetsSelect to return the panel that allows narrowing the search. This may make the query longer to complete. For more information, see Facet Search.

      Adhoc Search

    5. Click Search.

    To move Private Search queries to Investigations:

    1. Click Investigations > Private Search.

    2. Click the Private Search tab.
      To move a query

      Click the Actions menu at the end of the row and select Move to an Investigation.

      To move multiple queries
      1. Click the Edit button and select the queries to be moved.

      2. Click Actions > Move to an Investigation .

    3. Create a new investigation or add the query to an existing investigation.
      Create a New Investigation

      Select this option to create a new investigation. Enter the Investigation Name and Description.

      The default name for new investigations is the first and last name of the user creating the investigation as well as a date stamp of when the investigation was created.

      Add to Existing Investigation

      From the Choose Investigation dropdown, select and investigation.

    4. Click Move.

    To delete queries in the Private Search tab:
    1. Click Investigations > Private Search.
    2. Click the Private Search tab.
      To delete a query

      Click the Actions menu at the end of the row and select Delete Query.

      To delete multiple queries
      1. Click the Edit button and select the queries to be deleted.

      2. Click Actions > Delete Query .

    3. In the confirmation dialog, click Confirm.
    To create a detection from an adhoc query:

    1. Click the Private Search tab.

    2. Click the Actions menu at the end of the row and click Create Detection.The Create A Detection Rule page opens.

    3. Configure the detection rule and click Save Rule.

      Detection Rule Query

      You have the option of selecting a new query or using the query parameters the results are based on.

      • The query field displays the facet filters used in the query.
      • Click Select a new Query to select a saved query or a query from your history.
      Impacted Device IP can appear in the fields

      Click Change Fields to select the specific fields you want to use to generate a detection. By default, any internal IP address in the src.ip or dst.ip fields will be used to generate detections.

      Indicators are captured in the fields

      Click Change Fields to add or remove an Indicator Field for a rule. You can choose up to five fields.

      Name Enter a name for the detection rule query.
      Severity Select High, Moderate or Low from the dropdown list.
      Confidence Select High, Moderate or Low from the dropdown list.
      Category Select the rule category from the dropdown list.
      Primary TechniqueSelect the Primary Technique from the dropdown list.
      Secondary TechniqueSelect the Secondary Technique from the dropdown list.
      SpecificitySelect Campaign, Tool Implementation, Procedure, Technique, or Tactic from the dropdown.
      Description Enter a description of the new detection rule.
      Run on Accounts

      Click Manage Run List to choose which accounts the new rule should run in.. In the dialog that opens, choose an account and click Save.

      This is applicable only if you have access to multiple accounts. For example, if your organization acquired another organization, once you deploy sensors in their network, it might be easier to ingest that data into a separate account and give your team access to it. If you were to write a rule targeting specific subnets in your account, that rule wouldn't be applicable to the acquired company's network, so you would only want to deploy it in your account.

      Data Sources

      Enable Zeek, Fortinet, Suricata, or Zscaler.

      Resolution Settings
      Resolution StyleSelect Auto or Manual.
      Automatic Resolution PeriodSelect between 6 hours and 1 Month. The default is 1 Week.
    To save a query:
    1. Click the Private Search tab.

    2. Click the Actions menu at the end of the row and click Add to Saved Queries.The Save Query dialog opens.

    3. Enter the query details and click Save.
      Query NameEnter a name for the query.
      Search QueryThis field cannot be edited.
      DescriptionEnter a description of the query.
    Tooltip

    You can use a saved query when you create a new rule or investigation.

    Previous
    Next