DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

User Guide

FortiSIEM User Guide
TABLE OF CONTENTS
Overview
FortiSIEM Releases
- What's New in 7.2.7
- What's New in 7.2.6
- What's New in 7.2.5
- What's New in 7.2.4
- What's New in 7.2.3
- What's New in 7.2.2
- What's New in 7.2.1
- What's New in 7.2.0
- What's New in 7.1.9
- What's New in 7.1.8
- What's New in 7.1.7
- What's New in 7.1.6
- What's New in 7.1.5
- What's New in 7.1.4
- What's New in 7.1.3
- What's New in 7.1.2
- What's New in 7.1.1
- What's New in 7.1.0
- What's New in 7.0.4
- What's New in 7.0.3
- What's New in 7.0.2
- What's New in 7.0.1
- What's New in 7.0.0
Windows Agent Releases
Content Pack Updates
Key Concepts
Getting Started
Advanced Operations
- CMDB
- Incidents and Cases
- Device Support
- Rules, Reports, and Dashboards
- Advanced Health System
- Managing FortiSIEM
Administration
- Setup
- Device Support
- Health
- License
- Content Update
- Settings
Managing CMDB
- Devices
- Applications
- Users
- Business Services
- CMDB Reports
Managing Resources
- Reports
  - Viewing System Reports
  - Running System Reports
  - Creating New Reports
  - Working With Report Templates
  - Scheduling Reports
  - Importing and Exporting Reports
  - Importing and Exporting Report Definitions
- Rules
  - Viewing Rules
  - Creating Rules
  - Activating and Deactivating a Rule
  - Testing a Rule
  - Exporting and Importing a Rule Definitions
  - Importing Sigma Rules
- Networks
  - Adding a Network
  - Modifying a Network
  - Deleting a Network
- Watch Lists
  - System-defined Watch list
  - Creating a Watch List
  - Modifying a Watch List
  - Using a Watch List
  - Exporting and Importing Watch Lists
- Protocols
  - Adding a Protocol
  - Modifying a Protocol
  - Deleting a Protocol
- Event Types
  - Adding an Event Type
  - Modifying an Event Type
  - Deleting an Event Type
- Working with AlienVault OTX
- Working with Dragos IOCs
- Working with FortiGuard IOCs
- Working with Malware Patrol
- Working with MISP Threatfeeds
- Working with OpenCTI Threatfeeds
- Working with ThreatConnect
- Working with Custom Threat Feeds that use HTTPS Connectivity
- Malware Domains
  - Adding a Malware Domain
  - Modifying a Malware Domain
  - Deleting a Malware Domain
  - Importing Malware Domains
  - Viewing Malware Domains
- Malware IPs
  - Adding a Malware IP
  - Modifying a Malware IP
  - Deleting a Malware IP
  - Importing Malware IPs
  - Viewing Malware IPs
- Malware URLs
  - Adding a Malware URL
  - Modifying a Malware URL
  - Deleting a Malware URL
  - Importing Malware URLs
  - Viewing Malware URLs
- Malware Processes
  - Creating a Malware Process Group
  - Adding a Malware Process
  - Modifying a Malware Process
  - Deleting a Malware Process
  - Importing Malware Processes
  - Viewing Malware Processes
- Country Groups
  - Creating a Country Group
  - Adding a Country Group
  - Modifying a Country Group
  - Deleting a Country Group
  - Changing the Home Country
- Malware Hash
  - Adding a Malware Hash
  - Modifying a Malware Hash
  - Importing/Updating User-defined Malware Hash
  - Viewing Malware Hash
- Default Password
  - Adding a Default Password
  - Modifying a Default Password
  - Importing and Exporting a Default Password
- Anonymity Network
  - Adding Anonymity Networks
  - Modifying Anonymity Networks
  - Updating Anonymity Networks
- User Agents
  - Adding User Agents
  - Modifying User Agents
  - Importing and Exporting User Agents
- Remediations
  - Adding Remediations
  - Modifying Remediations
  - Deleting Remediations
- Lookup Tables
  - Adding a Lookup Table
  - Deleting a Lookup Table
  - Working with Lookup Table Data
- Playbooks
  - Viewing Playbooks
  - Updating Playbooks
- Connectors
  - Viewing Connectors
  - Updating Connectors
- Machine Learning Jobs
  - Viewing Machine Learning Jobs
  - Editing a Machine Learning Job
  - Deleting a Machine Learning Job
- Osquery
  - Viewing osquery Templates
  - Creating osquery Templates
Working with Cases
- Creating a Case Manually
- Creating a Case Automatically
- Viewing All Cases
- Searching Cases
- Viewing a Case in Depth
- Acting on a Case
- Case Dashboard
- Case Report
- Steps to Update Case Escalation from 6.x-7.1.x to 7.2.x
Working with Incidents
- Overview View
- List View
- Risk View
- Explorer View
- MITRE ATT&CK View
- UEBA View
- Investigating Incidents
- Automated Incident Resolution Recommendation
- Lookups Via External Websites
- CVE-Based IPS False Positive Analysis
- Remediating an Incident using a Script
- Executing a Playbook on an Incident
- Running a Connector on an Incident
- Troubleshooting Incident Trigger
Working with Analytics Search
- Overview
- Running a Built-in Historical Search
- Creating a New Search
- Creating a Nested Search
- Viewing Real-time Search Results
- Viewing Historical Search Results
- Searches Using Pre-computed Results
- Working with Search Results
Advanced Search
- Overview
- Running a Built-in Advanced Search
- Creating a New Advanced Search
- Fixing SQL Query Syntax Errors with FortiAI
- Miscellaneous Advanced Search Operations
- Advanced Search Examples
Machine Learning
- Overview
- Anomaly Detection
- Classification
- Clustering
- Forecasting
- Regression
Working with Dashboards
- General Operations
- Widget Dashboard
- Summary Dashboard
- Business Service Dashboard
- Identity and Location Dashboard
- Interface Usage Dashboard
- PCI Logging Status Dashboard
Managing Tasks
FortiAI
FortiSIEM Manager
- FortiSIEM Manager Incidents
  - FortiSIEM Manager Incidents Overview View
  - FortiSIEM Manager Incidents - List View
- FortiSIEM Manager CMDB Users
  - FortiSIEM Manager CMDB Adding Users
  - FortiSIEM Manager - Editing User Information
- FortiSIEM Manager Resources
- FortiSIEM Manager Admin
Appendix
- Administrative Tools and Information
- ClickHouse Usage Notes
- Configuration Notes
- Elasticsearch Usage Notes
- Examples of Custom Performance Monitors
- Exporting QRadar Logs to FortiSIEM
- FortiEMS Endpoint Tagging
- GUI Notes
  - Flash to HTML5 GUI Mapping
  - FortiSIEM Charts and Maps
- FortiSOAR Integration Notes
  - Configuring FortiSOAR for FortiSIEM Integration
  - Writing FortiSIEM Compatible FortiSOAR Playbooks
- Functions in Analytics
- Knowledge Base
- License Enforcement
- Parser Specification
- Python Threat Feed Framework
- Sample Windows Agent Logs
- UEBA Information
- Windows Agent System Variables

Home FortiSIEM 7.2.7 User Guide

7.2.7

Advanced Search Examples

This section offers some simple examples to demonstrate the basic SQL building blocks. These examples are intended to be followed in sequential order.

Example 1 - Query Top 10 Reporting Devices by Event Count in Last 1 Hour
Example 2 - Add the Reporting Vendor and Model of the Reporting Devices and the Last Time that They Reported an Event
Example 3 - Show the Reporting IP and the Top Event Types for these Devices and only Include External Events
Example 4 - Show the External Events from a Specific Reporting Device with a Specific IP
Example 5 - Show Information from a Specific CMBD Group
Example 6 - Show Reporting Devices Reporting External Events Today that were not Reporting External Events Yesterday
Example 7 - Only Return Top 5 Event Types for Each Reporting Device

Example 1 - Query Top 10 Reporting Devices by Event Count in Last 1 Hour

Lets start with this query: Top 10 Reporting Devices by Event Count in last 1 hour.

SELECT
    reptDevName AS `Reporting Device`,
    COUNT(*) AS `Total Events`
FROM fsiem.events
WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
GROUP BY reptDevName
ORDER BY COUNT(*) DESC
LIMIT 10

Example 2 - Add the Reporting Vendor and Model of the Reporting Devices and the Last Time that They Reported an Event

Suppose you want to see the reporting vendor and model of the reporting devices and the last time that they reported an event. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptVendor AS Vendor,reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
GROUP BY
    reptDevName,
    reptVendor,reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 3 - Show the Reporting IP and the Top Event Types for these Devices and only Include External Events

Suppose you want to see the Reporting IP and the Top Event Types for these devices and only include external events. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1  AND (phEventCategory IN (0, 4))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,eventType,
    reptVendor,
    reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 4 - Show the External Events from a Specific Reporting Device with a Specific IP

Suppose you want to choose a specific reporting device named WIN-ABC with Reporting IP as 10.1.1.1. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND ((reptDevName = 'WIN-ABC') OR (reptDevIpAddrV4 = '10.1.1.1'))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,
    eventType,
    reptVendor,
    reptModel,
ORDER BY COUNT(*) DESC
LIMIT 10

Example 5 - Show Information from a Specific CMBD Group

Instead of focusing on a single device, suppose you want to focus on devices in CMDB Group: Devices > Server > Windows. Then use the CMDB Group Converter to generate the query.

To create this CMDB group, click on CMDB Group Converter, and in the CMDB Group Converter window, take the following steps.

Set Attribute as Reporting IP.
Set Operator as IN.
Set Value as Group: Windows by taking the following steps.
1. Click Value and click Select from CMDB.
2. From Folders, navigate to Devices > Server > Windows, and ensure Windows is selected.
3. Click >> to create group, then OK.
4. Click Convert & Copy.

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND (dictHas('fsiem.dict_cmdb_group', (phCustId, toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER')) OR dictHas('fsiem.dict_cmdb_group', (toUInt32(0), toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER')) OR dictHas('fsiem.dict_cmdb_group', (phCustId, toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER:IntfIP')) OR dictHas('fsiem.dict_cmdb_group', (toUInt32(0), toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER:IntfIP')))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,
    eventType,
    reptVendor,
    reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 6 - Show Reporting Devices Reporting External Events Today that were not Reporting External Events Yesterday

Suppose you want to see the reporting devices that are reporting external events today but were not reporting yesterday. This uses the SQL SubQuery capability. Then run the following query:

WITH reporting_devices_last_1_day AS
    (
        SELECT DISTINCT reptDevName
        FROM fsiem.events
        WHERE (phRecvTime >= toStartOfDay(now() - (1 * 86400))) AND eventParsedOk=1 AND (phRecvTime < toStartOfDay(now())) AND (phEventCategory IN (0, 4))
    )
SELECT DISTINCT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    reptVendor AS Vendor,
    reptModel AS Model
FROM fsiem.events
WHERE (phRecvTime >= toStartOfDay(now())) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND (reptDevName NOT IN (
    SELECT reptDevName
    FROM reporting_devices_last_1_day
))
ORDER BY reptDevName ASC

Example 7 - Only Return Top 5 Event Types for Each Reporting Device

Lets go back to Example 3, but only return Top 5 event types for each reporting device. This is achieved via the SQL Window function (For more information, see https://clickhouse.com/docs/en/sql-reference/window-functions and https://www.postgresql.org/docs/current/tutorial-window.html).

WITH subquery AS
    (
        SELECT
            reptDevName,
            eventType,
            count() AS count,
            rank() OVER (PARTITION BY reptDevName ORDER BY count DESC) AS rank
        FROM fsiem.events
        WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
        GROUP BY ALL
    )
SELECT
    reptDevName AS `Reporting Device`,
    eventType AS `Event Type`,
    count
FROM subquery
WHERE rank <= 5

Advanced Search Examples

This section offers some simple examples to demonstrate the basic SQL building blocks. These examples are intended to be followed in sequential order.

Example 1 - Query Top 10 Reporting Devices by Event Count in Last 1 Hour
Example 2 - Add the Reporting Vendor and Model of the Reporting Devices and the Last Time that They Reported an Event
Example 3 - Show the Reporting IP and the Top Event Types for these Devices and only Include External Events
Example 4 - Show the External Events from a Specific Reporting Device with a Specific IP
Example 5 - Show Information from a Specific CMBD Group
Example 6 - Show Reporting Devices Reporting External Events Today that were not Reporting External Events Yesterday
Example 7 - Only Return Top 5 Event Types for Each Reporting Device

Example 1 - Query Top 10 Reporting Devices by Event Count in Last 1 Hour

Lets start with this query: Top 10 Reporting Devices by Event Count in last 1 hour.

SELECT
    reptDevName AS `Reporting Device`,
    COUNT(*) AS `Total Events`
FROM fsiem.events
WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
GROUP BY reptDevName
ORDER BY COUNT(*) DESC
LIMIT 10

Example 2 - Add the Reporting Vendor and Model of the Reporting Devices and the Last Time that They Reported an Event

Suppose you want to see the reporting vendor and model of the reporting devices and the last time that they reported an event. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptVendor AS Vendor,reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
GROUP BY
    reptDevName,
    reptVendor,reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 3 - Show the Reporting IP and the Top Event Types for these Devices and only Include External Events

Suppose you want to see the Reporting IP and the Top Event Types for these devices and only include external events. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1  AND (phEventCategory IN (0, 4))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,eventType,
    reptVendor,
    reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 4 - Show the External Events from a Specific Reporting Device with a Specific IP

Suppose you want to choose a specific reporting device named WIN-ABC with Reporting IP as 10.1.1.1. Then run the following query:

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND ((reptDevName = 'WIN-ABC') OR (reptDevIpAddrV4 = '10.1.1.1'))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,
    eventType,
    reptVendor,
    reptModel,
ORDER BY COUNT(*) DESC
LIMIT 10

Example 5 - Show Information from a Specific CMBD Group

Instead of focusing on a single device, suppose you want to focus on devices in CMDB Group: Devices > Server > Windows. Then use the CMDB Group Converter to generate the query.

To create this CMDB group, click on CMDB Group Converter, and in the CMDB Group Converter window, take the following steps.

Set Attribute as Reporting IP.
Set Operator as IN.
Set Value as Group: Windows by taking the following steps.
1. Click Value and click Select from CMDB.
2. From Folders, navigate to Devices > Server > Windows, and ensure Windows is selected.
3. Click >> to create group, then OK.
4. Click Convert & Copy.

SELECT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    eventType AS `Event Type`,
    reptVendor AS Vendor,
    reptModel AS Model,
    COUNT(*) AS `Total Events`,
    MAX(phRecvTime) AS `Last Reporting Time`
FROM fsiem.events
WHERE (phRecvTime > (now() - 3600)) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND (dictHas('fsiem.dict_cmdb_group', (phCustId, toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER')) OR dictHas('fsiem.dict_cmdb_group', (toUInt32(0), toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER')) OR dictHas('fsiem.dict_cmdb_group', (phCustId, toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER:IntfIP')) OR dictHas('fsiem.dict_cmdb_group', (toUInt32(0), toString(fsiem.events.reptDevIpAddr), 'PH_SYS_DEVICE_WINDOWS_SERVER:IntfIP')))
GROUP BY
    reptDevName,
    reptDevIpAddrV4,
    eventType,
    reptVendor,
    reptModel
ORDER BY COUNT(*) DESC
LIMIT 10

Example 6 - Show Reporting Devices Reporting External Events Today that were not Reporting External Events Yesterday

Suppose you want to see the reporting devices that are reporting external events today but were not reporting yesterday. This uses the SQL SubQuery capability. Then run the following query:

WITH reporting_devices_last_1_day AS
    (
        SELECT DISTINCT reptDevName
        FROM fsiem.events
        WHERE (phRecvTime >= toStartOfDay(now() - (1 * 86400))) AND eventParsedOk=1 AND (phRecvTime < toStartOfDay(now())) AND (phEventCategory IN (0, 4))
    )
SELECT DISTINCT
    reptDevName AS `Reporting Device`,
    reptDevIpAddrV4 AS `Reporting IP`,
    reptVendor AS Vendor,
    reptModel AS Model
FROM fsiem.events
WHERE (phRecvTime >= toStartOfDay(now())) AND eventParsedOk=1 AND (phEventCategory IN (0, 4)) AND (reptDevName NOT IN (
    SELECT reptDevName
    FROM reporting_devices_last_1_day
))
ORDER BY reptDevName ASC

Example 7 - Only Return Top 5 Event Types for Each Reporting Device

WITH subquery AS
    (
        SELECT
            reptDevName,
            eventType,
            count() AS count,
            rank() OVER (PARTITION BY reptDevName ORDER BY count DESC) AS rank
        FROM fsiem.events
        WHERE phRecvTime > (now() - 3600) AND eventParsedOk=1
        GROUP BY ALL
    )
SELECT
    reptDevName AS `Reporting Device`,
    eventType AS `Event Type`,
    count
FROM subquery
WHERE rank <= 5

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Advanced Search Examples

Advanced Search Examples

Example 1 - Query Top 10 Reporting Devices by Event Count in Last 1 Hour

Example 2 - Add the Reporting Vendor and Model of the Reporting Devices and the Last Time that They Reported an Event

Example 3 - Show the Reporting IP and the Top Event Types for these Devices and only Include External Events

Example 4 - Show the External Events from a Specific Reporting Device with a Specific IP

Example 5 - Show Information from a Specific CMBD Group

Example 6 - Show Reporting Devices Reporting External Events Today that were not Reporting External Events Yesterday

Example 7 - Only Return Top 5 Event Types for Each Reporting Device

Advanced Search Examples

Advanced Search Examples