Notification via Email
Email is the most common form of incident notification. While FortiSIEM has a default email format, users can also create their own email templates from the FortiSIEM GUI.
The screenshots show three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed.
Release Added: 5.1
NEW
UPDATE
CLEAR
Subject Line Format
[New|Update|Clear] <HostName>: <Rule Name>
| Section | Field | Description |
|---|---|---|
| Affected Business Services (optional) | ||
| Generic | ||
| Identity and Location | - Contains additional information for IP addresses in incident
source or target. This information is present only if such information is
discovered by FortiSIEM and shown in the Identity and Location tab. - Host name - User - Domain - Nearest switch name/port or VPN gateway or Wireless Controller - First and last seen times for this IP address to identity/location binding |
|
| Incident Details | Rule-specific details that caused the incident to trigger | |
| Incident Source | For security-related incidents, where the incident originated | |
| Incident Target | Where the incident occurred, or the target of an IPS alert | |
| Rule | Rule Name | Name of the rule, repeated in the subject line |
| Incident Id | Unique ID of the incident in FortiSIEM. An incident can be searched in FortiSIEMby this ID. | |
| Time | Time when this incident occurred | |
| Severity | Incident severity: HIGH|MEDIUM|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH | |
| Incident Count | How many times this incident has occurred. For NEW incidents, the count is 1. | |
| Rule Description | ||
| Host Name (optional) | ||
| Host IP (optional) | ||
| Other attributes as defined in rule | ||
| Host Name (optional) | ||
| Host IP (optional) |
Notification via SMS
SMS notification is a shortened version of email notification.
Release Added: 5.1
