Fortinet white logo
Fortinet white logo

FortiSIEM Customized Rules

FortiSIEM Customized Rules

The following out the box rules require modification to define the watchlist. Steps are detailed later.

FSM Rules

Description

Source Devices

Attribute map to Watchlist

Failed VPN Logon From Outside My Country

Detects VPN logon from outside my country. My Country is set to "United States" and may need to be changed if your home country is different.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Successful VPN Logon From Outside My Country

Detects VPN logon from outside my country. My Country is set to "United States" and may need to be changed if your come country is different.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Multiple Logon Failures: VPN

Detects multiple VPN logon failures - 5 consecutive failures in a 10 minute period

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Sudden User Location Change

Detects location change for a user unfeasible in a short period of time using the Haversine formula. This may indicate a stolen credential use.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Traffic to FortiGuard Threat Feed

Identifies traffic targeting an IP on a the FortiGuard threat feed.

Firewalls

Source IP -> Malware Likely, IP Fabric Threats

The following rules will need to be imported into your FortiSIEM instance.

FSM Rules

Description

Source Devices

Attribute map to Watchlist

Host Risk increased to HIGH

Detects a device that has moved to high risk.

FortiSIEM

Host IP -> Fabric Threats

UEBA AI detects unusual drive unmounted - Fabric

Detects unusual drive unmounted by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file deletion - Fabric

Detects unusual file deletion by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual file download - Fabric

Detects unusual file download by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file movement - Fabric

Detects unusual file movement by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file printed - Fabric

Detects unusual file printed by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file reading - Fabric

Detects unusual file reading by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file renamed - Fabric

Detects unusual file renamed by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file upload - Fabric

Detects unusual file upload by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file writing - Fabric

Detects unusual file writing by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual host logon - Fabric

Detects unusual windows logon

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual new drive mounted - Fabric

Detects unusual new drive mounted by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual process created - Fabric

Detects unusual process started by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual process started - Fabric

Detects unusual process started by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual user logoff - Fabric

Detects unusual user logoff

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

FortiSIEM Customized Rules

FortiSIEM Customized Rules

The following out the box rules require modification to define the watchlist. Steps are detailed later.

FSM Rules

Description

Source Devices

Attribute map to Watchlist

Failed VPN Logon From Outside My Country

Detects VPN logon from outside my country. My Country is set to "United States" and may need to be changed if your home country is different.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Successful VPN Logon From Outside My Country

Detects VPN logon from outside my country. My Country is set to "United States" and may need to be changed if your come country is different.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Multiple Logon Failures: VPN

Detects multiple VPN logon failures - 5 consecutive failures in a 10 minute period

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Sudden User Location Change

Detects location change for a user unfeasible in a short period of time using the Haversine formula. This may indicate a stolen credential use.

VPN terminators and Firewalls

Source IP -> External Fabric Threats

Traffic to FortiGuard Threat Feed

Identifies traffic targeting an IP on a the FortiGuard threat feed.

Firewalls

Source IP -> Malware Likely, IP Fabric Threats

The following rules will need to be imported into your FortiSIEM instance.

FSM Rules

Description

Source Devices

Attribute map to Watchlist

Host Risk increased to HIGH

Detects a device that has moved to high risk.

FortiSIEM

Host IP -> Fabric Threats

UEBA AI detects unusual drive unmounted - Fabric

Detects unusual drive unmounted by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file deletion - Fabric

Detects unusual file deletion by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual file download - Fabric

Detects unusual file download by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file movement - Fabric

Detects unusual file movement by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file printed - Fabric

Detects unusual file printed by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file reading - Fabric

Detects unusual file reading by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file renamed - Fabric

Detects unusual file renamed by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file upload - Fabric

Detects unusual file upload by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual file writing - Fabric

Detects unusual file writing by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual host logon - Fabric

Detects unusual windows logon

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual new drive mounted - Fabric

Detects unusual new drive mounted by a user

FortiSIEM Agent UEBA

Reporting IP -> Fabric Threats

UEBA AI detects unusual process created - Fabric

Detects unusual process started by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual process started - Fabric

Detects unusual process started by a user

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats

UEBA AI detects unusual user logoff - Fabric

Detects unusual user logoff

FortiSIEM Agent UEBA, Windows Security Event Log.

Reporting IP -> Fabric Threats