Fortinet white logo
Fortinet white logo

Map Custom Rules

Map Custom Rules

The FortiSIEM rules that have been imported as well as the existing rules need to be mapped to the custom watchlists group defined in the earlier step.

For each of the rules defined in FortiSIEM Customized Rules, customization of the watch list is needed. Follow these general steps to ensure the watch lists are mapped to the new watchlists.

  1. Ensure RESOURCES > Rules is selected.

  2. In the search field, enter the rule you wish to edit. When it appears, select it.

  3. Click Edit, and select Selected Rule.

  4. Click Step 3: Define Action.

  5. Clear the Watch List field, if an entry exists by clicking on the Trash icon.

  6. From the Watch List row, click the Edit icon.

  7. From the Available Watch List column, select the appropriate watch list (use the Attribute map to Watchlist column from the FortiSIEM Customized Rules table to identify which watch list to assign), and click the > button to move it to the Selected column.

  8. Click Save.

  9. Click Save.

  10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.

Here is one specific example, using the rule “Failed VPN Logon From Outside My Country”.

  1. Navigate to RESOURCES > Rules.

  2. In the search field, enter "Failed VPN Logon from outside"

  3. Click Edit, and select Selected Rule.

  4. Click Step 3: Define Action.

  5. Click the Edit icon.

  6. From the Available Watch List column, select External Fabric Threats.

  7. Click the > button to move it to the Selected column.

  8. Click Save.

  9. Click Save.

  10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.


Map Custom Rules

Map Custom Rules

The FortiSIEM rules that have been imported as well as the existing rules need to be mapped to the custom watchlists group defined in the earlier step.

For each of the rules defined in FortiSIEM Customized Rules, customization of the watch list is needed. Follow these general steps to ensure the watch lists are mapped to the new watchlists.

  1. Ensure RESOURCES > Rules is selected.

  2. In the search field, enter the rule you wish to edit. When it appears, select it.

  3. Click Edit, and select Selected Rule.

  4. Click Step 3: Define Action.

  5. Clear the Watch List field, if an entry exists by clicking on the Trash icon.

  6. From the Watch List row, click the Edit icon.

  7. From the Available Watch List column, select the appropriate watch list (use the Attribute map to Watchlist column from the FortiSIEM Customized Rules table to identify which watch list to assign), and click the > button to move it to the Selected column.

  8. Click Save.

  9. Click Save.

  10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.

Here is one specific example, using the rule “Failed VPN Logon From Outside My Country”.

  1. Navigate to RESOURCES > Rules.

  2. In the search field, enter "Failed VPN Logon from outside"

  3. Click Edit, and select Selected Rule.

  4. Click Step 3: Define Action.

  5. Click the Edit icon.

  6. From the Available Watch List column, select External Fabric Threats.

  7. Click the > button to move it to the Selected column.

  8. Click Save.

  9. Click Save.

  10. Confirm that the rule is enabled by verifying that the Active checkbox is checked.