Define the FortiSIEM Watch List Groups
This deployment requires creating two watch list groups:
-
“External Fabric Threats” of type IP and validity of 2 weeks
-
“Fabric Threats” of type IP and validity of 1 weeks
The validity of one and two weeks can be configured to be longer or shorter, depending on how transient the IP is likely to be. For example, there may be little value keeping a DHCP assigned IP in the watchlists for longer than 1 week as it may have been assigned to another host.
General steps to configure watchlists can be found here.
To create the External Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
-
Navigate to RESOURCES > Watch Lists.
-
In the left pane, click the + icon to create a new watch list group.
-
From the Create New Watch List Group windows, take the following steps:
-
In the Group field, enter "External Fabric Threats".
-
From the Type drop-down list, select IP.
-
In the Expired in # Week(s) field, enter/select 2.
-
Click Save.
-
To create the Fabric Threats Watch List Group, take the following steps from the FortiSIEM GUI.
-
Navigate to RESOURCES > Watch Lists.
-
In the left pane, click the + icon to create a new watch list group.
-
From the Create New Watch List Group windows, take the following steps:
-
In the Group field, enter "Fabric Threats".
-
From the Type drop-down list, select IP.
-
In the Expired in # Week(s) field, enter/select 1.
-
Click Save.
-