List View
This tabular view enables the user to search incidents and take actions.
Additional Incident related information: Automated Incident Resolution Recommendation
Viewing Incidents
To see this view, hover over Incidents in the FortiSIEM left pane. By default, an Incidents Overview dashboard appears if selected. It displays the following information: Incidents by Category, Top Incidents, and Top Impacted Hosts - by Severity/Risk Score. To access List View, which offers Listing by Time, Device, Rule and Category (FortiAI), hover over List, and select a list view.
The Incidents "List by" views allow you to filter data by device and by incident.
You can set any of the Incidents views as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list. You can filter the Incidents view further by choosing Overview, List – by Time, List – by Device, List - by Rule or List – by Category (FortiAI) from the Incident Home drop-down list.
An incident's status can be one of the following:
- Active: An ongoing incident.
- Manually Cleared: Cleared manually by a user - the incident is no longer active.
- Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition.
- System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared.
- Externally Cleared: Cleared in the external ticketing system.
The resolution for an incident can be:
- Open
- In-progress
- True Positive, or
- False Positive
When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be False Positive, then you must Clear the Incident.
List by <Time, Device, Rule, Category> views provide a range of time buttons which appear above the paginator. They allow you to filter data by certain time ranges depending on the List by option selected. List by Time, List by Device and List by Rule allows you to select 15 minutes, 1 hour, 1 day, 7 days, or 30 days. List by Category (FortiAI) allows you to select 1 day, 7 days, 14 days, 30 days, 60 days, or 90 days.
The following sections describe the views that are available through the Incidents view:
List by Time View
The List by Time view displays a table of the incidents which have been active in the last 2 hours. Additionally, above the table, "buttons" for the number of incidents, number of new incidents that have occurred, number of assigned incidents, and number of incident notifications that have occurred in the last 2 hours appears, and any of these "buttons" can be clicked to display a filtered incident table. The Last Occurred column contains the incidents sorted by time, with the most recent first. By default, the view refreshes automatically every minute. The refresh menu on the top bar allows the user to disable automatic refresh or choose a different refresh interval.
See the following table for information on the attributes shown for each incident. A caret will appear when you hover the cursor over some attributes for additional actions:
|
Attribute |
Description |
|---|---|
| Severity | High (Red), MEDIUM (Orange), or LOW (Green). |
| ID |
|
| Last Occurred |
|
| Incident |
|
| Tactics |
|
| Technique |
Name of the technique involved with the incident. Click the caret icon for the following option:
|
| Reporting |
|
|
Source |
|
|
Target |
Target of the incident (host name or IP address or user). Click the caret icon for the following options:
|
| Detail |
Other incident details, for example, Counts, Average CPU utilization, file name, and so on. Click the caret icon for the following option:
|
|
Status |
An incident's status can be one of the following:
|
|
Resolution |
Current state of the incident. Click the caret icon for the following options:
|
|
Biz Service |
Name of the business services affected by this incident |
|
Case ID |
The case ID associated with the incident. Click the ID to go to the Cases page. |
|
Case User |
The user assigned to a case related to the incident. |
|
Category |
Category of incidents triggered (Availability, Change, Performance, Security and Other). |
|
Cleared Reason |
Reason for clearing the incident if it was cleared. |
|
Cleared Time |
Time at which the incident was cleared. |
|
Cleared User |
User who cleared the incident. |
|
Confidence |
The confidence level of a threat. |
|
Incident Count |
Number of times the incident triggered between the first and last seen times |
|
Event Type |
Event type associated with this incident. All incidents with the same name have the same Incident Type. |
|
External Cleared Time |
Time when the incident was resolved in an external ticketing system. |
|
External Ticket ID |
ID of a ticket in an external ticketing system such as ServiceNow, ConnectWise, etc. |
|
External Ticket State |
State of a ticket in an external ticketing system. |
|
External Ticket Type |
Type of the external ticketing system (ServiceNow, ConnectWise, Salesforce, Remedy). |
|
External User |
External user assigned to a ticket in an external ticketing system. |
|
First Occurred |
The first time that the incident was triggered. |
|
Incident Comments |
Comments made on an incident. |
|
Incident First Occurrence Time |
The period of time when the incident first occurred. |
|
Incident Title |
The incident title - This typically displays more information than the "Incident" attribute.
|
|
Notification Recipients |
Incident Notification recipients |
|
Notification Status |
Incident Notification Status |
|
Organization |
Organization of the reporting device (for Service Provider installations). |
|
Reporting Device Status |
Status of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored. |
|
Reporting IP |
IP addresses of the devices reporting the incident. See Reporting for selectable drop-down options. |
|
Subcategory |
Subcategory of the triggered incident. To add custom subcategories to an incident category, see here. |
|
Tag |
Name of the tag involved with the rule that triggered the incident. |
|
View Status |
Whether the Incident has been Read or Not. |
|
Automation Status |
The current state that automation is at. |
|
Evaluation Mode |
Rule detection - streaming or scheduled. |
|
Related Incidents |
Number of related incidents. |
To see the incident details, click the incident.
- Details - Includes the full list of incident attributes in a separate pane.
Column Description Incident ID Unique ID of the incident in the Incident database. Incident Title A system default title or a user-defined title for an incident. Rule Name Rule involved with Incident. Event Type Event type associated with this incident. All incidents with the same name have the same Incident Type. Severity Category Incident Severity Category: High, Medium or Low. First Occurred The first time that the incident was triggered. Last Occurred The last time when the incident was triggered. Category Category of incidents triggered. Subcategory Subcategory of the triggered incident. To add custom subcategories to an incident category, see here. Tactics Name of the tactics involved with the incident. Technique Name of the technique involved with the incident. Tag
Tag associated with the incident.
Organization Organization of the reporting device (for Service Provider installations). Reporting Reporting device. Reporting IP IP addresses of the devices reporting the incident. Reporting Device Status Status of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored. Target Target of the incident (host name or IP address or user). Detail Event attributes that triggered the incident. Count Number of times this incident has occurred with the same incident source and target criteria. Resolution The resolution for an incident can be: - Open (not defined or not known whether the incident is True Positive or False Positive)
- True Positive, or
- False Positive
When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be True Positive or False Positive, then you must Clear the Incident.
Automation Status
The current state that automation is at.
Case ID The Case ID for the case associated with the incident. Click the Case ID link to go to the Cases page for the selected case. View Status Whether the Incident has been Read or Not. - Rule Summary - This displays the Definition of Rule that Triggered the Incident and the Triggered Event Attributes.
- Triggering Events - This displays the set of events that triggered the incident. If an incident involves multiple sub-patterns, select the sub-pattern to see the events belonging to that sub-pattern. When an event is selected, raw message and parsed fields for that event is displayed. A "Copy to clipboard" icon is available to copy the raw message, and the FortiAI icon can be clicked to provide an analysis and recommended action. Create Filter... option is available from Event Attributes Value column. Create Filter... saves incident information to scratchpad which is available by clicking
at top right. - Related Active Incidents - Displays any additional incidents that may be related to the active incident.
-
Threat - This displays threat related information, which includes FortiGuard IP Geolocation, Whois, and Watchlists information. It also provides FortiGuard and Virus Total analysis, if configured.
- Context - Displays contextual incident information.
- FortiAI Analysis - Provides an analysis on the selected incident. Select Basic to enter a general question or Agentic for a deeper analysis for steps to take.
Note: This requires FortiAI to function. - Execute Playbook - Run a playbook.
- Comments - Information about the incident is provided.
- Action History - Displays the action history for the incident.
To close the incident details pane, click the highlighted incident, or click X in the upper right corner of the pane itself.
List by Device View
The upper pane of the List by Device view lists the devices that are experiencing incidents. In the list, the device can be identified by either an IP or a host name. The name of the device is followed by the organization name and the number of incidents. Click the device name to see the incidents associated with the device. This view contains the same features and functionality as the List by Time view.
List by Rule View
The upper pane of the List by Rule view lists incidents detected by FortiSIEM by rules. The name of the rule followed by the number of related incidents appears at the top. Click a general rule to see the incidents associated with it. This view contains the same features and functionality as the List by Time view.
List by Category (FortiAI)
This view displays incidents by categories determined by FortiAI. These groups contain incidents organized by semantic similarity, and are listed in order by a generated evaluated severity score. To view the incidents under the incident category, click 
to expand the Incident group. When incidents are displayed, this view offers the same features and functionality as the List by Time view.
Acting on Incidents
The Show More Actions (
) drop-down provides a list of actions that can be taken on incidents. It is available from the Incidents Details sidebar.
To change the incident attribute display columns in the List View, select the Columns drop-down list and check/uncheck the desired attributes to display. When done, click the Columns drop-down button again.
Location View
To see a Location View of the incidents, select an incident, then click on the Show location (
) icon. From the Select Column to Plot drop-down list, select Incident Source or Incident Target to plot the appropriate geographical location. FortiSIEM has a built in database of locations of public IP addresses. Private IP address locations can be defined in Admin > Settings > Discovery > Location.
Note: This feature requires Google Maps API Key to be configured, under Admin > Settings > System > UI.
Clearing Incidents
To clear one or more incidents, select the incidents you wish to clear, and click the Clear Incident (
) icon. In the Resolution field, you will be prompted to select True Positive or False Positive for the affected incidents, and a Reason field is available to provide an explanation for clearing the incidents chosen.
Note:
- To select specific incidents, hold down the Ctrl key, and click each incident that you wish to include.
Actions
You can perform the following operations using the Actions menu:
- FortiAI
- Check Reputation
- Incident Detail
- Investigate
- Changing the Severity of an Incident
- Clearing One or More Incidents
- Create Case
- Add to Case
- Show Related Case
- Creating Event Dropping Rules
- Disabling One or More Rules
- Fine Tuning a Rule Triggering an Incident
- Creating an Exception for the Rule
- Executing a Playbook
- Creating a Remediation Action
- Resolve Incident
- Running a Connector
- Exporting One or More Incidents into a PDF File
- Emailing Incidents
Changing the Severity of an Incident
- Select the incident, then click the Actions () icon.
- Select Change Severity, then select Change to High, Medium, or Low.
Clearing One or More Incidents
- Use the Check column to select specific incidents.
Note: You can select the Check checkbox header to select all incidents. - Click the Clear Incident () icon.
- Select whether the Resolution is True Positive or False Positive.
- Enter a Reason for clearing.
- Click OK.
Disabling One or More Rules
- Use the Check column to select specific incidents.
Note: You can select the Check checkbox header to select all incidents. - Click the Actions () icon and select Disable Rule.
- For Service Provider installations, select the Organizations for which to disable the rule.
- Click Save.
Exporting One or More Incidents into a PDF File
- Use the Check column to select specific incidents.
Note: You can select the Check checkbox header to select all incidents. - Click the Export (
) icon - Enter or edit the comment in the User Notes box.
- Select the Output Format (currently only PDF) and Maximum Rows.
- Check the Summary Mode checkbox to include Summary.
- Check the Include Raw Event checkbox to include raw events.
- Click Generate.
A file will be downloaded in your browser.
Fine Tuning a Rule Triggering an Incident
- While hovering your cursor over an incident, click Show Details (
). - Select Edit Rule from the Actions () drop-down.
- In the Edit Rule dialog box, make the required changes.
- Click OK.
Creating an Exception for the Rule
- While hovering your cursor over an incident, click Show Details ().
- Select Edit Rule Exception from the Actions () drop-down.
- In the Edit Rule Exception dialog box, make the required changes:
- For Service provider deployments, select the Organizations for which the exception will apply.
- Select the exception criteria:
- For incident attribute based exceptions, select the incident attributes for which rule will not trigger.
- For time based exceptions, select the time for which rule will not trigger.
- Select AND/OR between the two criteria.
- Add Notes.
- Click Save.
Show Related Case
View case of a selected incident by taking the following steps.
- While hovering your cursor over an incident, click Show Details ().
- Select Show Related Case from the Actions () drop-down.
If a related case exists, you will be taken to the Cases page with the case for the selected incident.
Creating Event Dropping Rules
Event Dropping Rules may need to be created to prevent an incident from triggering. To create such a rule:
- While hovering your cursor over an incident, click Show Details ().
- Select Create Event Dropping Rule from the Actions () drop-down.
- In the Event Dropping Rule dialog box, enter the event dropping criteria:
- Organization - For Service provider deployments, select the organizations for which the exception will apply.
- Reporting Device - Select the device whose reported events will be dropped.
- Event Type - Select the matching event types.
- Source IP - Select the matching source IP address in the event.
- Destination IP - Select the matching destination IP address in the event.
- Action - Choose to drop the events completely or store them in the event database. If you store events, you can select the following actions:
- Do not trigger rules
- Drop attributes (Click the edit icon to open the selection window and select the attributes to drop)
- Regex filter - Select a regex filter to match the raw event log.
- Description - Add a description for the drop rule.
- Click Save.
The Rule will be appear in Admin > Settings > Event Pipeline > Dropping.
Creating a Case
See Creating a Case from the Incidents tab.
Emailing Incidents
Incidents can be emailed to one or more recipients. Make sure that Email settings are defined in Admin > Settings > System > Email. Note that email notification from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered. To define an automatic notification, create an Incident Automation Policy in Admin > Settings > Automation Policy. To email one or more incidents on demand:
- Use the Check column to select specific incidents.
Note: You can select the Check checkbox header to select all incidents. - Click Show Details ().
- Select Notify via Email from the Actions () drop-down and enter the following information:
- Send To – a list of receiver email addresses, separated by commas.
- Email template – Choose an email template. You can use the default email template, or create your own in Admin > Settings > System > Email > Incident Email Template.
Creating a Remediation Action
Incidents can be mitigated by deploying a mitigation script, for example, blocking an IP in a firewall or disabling a user in Active Directory. Note that this type of incident mitigation from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered.
To define an automatic remediation, create an Incident Automation Policy in Admin > Settings > General > Automation Policy. Click +, and in the Automation Policy dialog box, select Run Remediation/Script in the Action section. To create a remediation action:
- While hovering your cursor over an incident, click Show Details ().
- Select Remediate Incident from the Actions () drop-down.
- Choose the Enforce On devices – the script will run on those devices. Make sure that FortiSIEM has working credentials for these devices defined in Admin > Setup > Credentials.
- Choose the Remediation script from the drop-down menu.
Note: Some Remediation scripts, such as FortiGate/Forti iOS version 7.0 and higher require a VDOM. Enter a Virtual Domain (VDOM) in the VDOM field for these particular scripts. Be aware that this field is case sensitive, so the VDOM must be entered exactly as it is named. - Choose the node on which the remediation will Run On from the drop-down list.
- Click Run. If the user does not have permission to run remediation, a Create New Request window will appear. Take the following actions:
- In the Approver drop-down list, select an approver. Fortinet recommends selecting all approvers to better ensure a response.
- In the Type drop-down list, ensure Remediation Request is selected.
- In the Justification field, enter an explanation why you want to run a remediation.
- Click Submit. An email with the your request will be sent to all selected approvers. Approvers will receive a pending task notification in the FortiSIEM console, where they can resolve the request.
- If you receive an email with an approval, repeat steps 1 through 6 before the expiration. If you received a rejection or received approval that has expired, repeat steps 1-10 if you wish to try again.
Resolve Incident
You can directly resolve an incident by taking the following actions.
-
Select the incident(s) you wish to resolve.
-
Click the Resolve Incident (
) icon. -
Select the resolution (Open, In Progress, True Positive, False Positive).
-
Click OK.
Check Reputation
FortiSIEM utilizes an external integration policy to perform a reputation check on incidents.
To create an external integration policy, navigate to Admin > Settings > General > External Integration. Click + to begin creating an external integration. For more information, see Configuring External Integration.
To perform a reputation check, take the following steps:
- While hovering your cursor over an incident (or event from Analytics), click the Actions () icon.
- Select Check Reputation.
A Check Reputation sidebar will appear with reputation related information.
Note: For incidents, you can add comments by selecting Add Results to Comment from the Actions () drop-down.
Incident Detail
When hovering your cursor over an incident, you can get incident details by selecting Show Details ().
For more information on what the Incident Detail sidebar provides, see here.
Investigate
- While hovering your cursor over an incident, click Show Details ().
- Select Investigate from the Actions () drop-down.
You will be taken the Analytics > Investigation page. See Investigating Incidents.
Searching Incidents
Using Search for Incidents
- Select Search by clicking the Filters (
) icon. - In the left pane, click an Incident attribute (for example, Category). All possible values of the selected attribute with a count next to it is shown (for example, Security, Availability and Performance for Function).
- Select any value (for example, Performance) and the right pane updates with the relevant incidents.
- Click and select other Incident Attributes to refine the Search or click the Trash icon to cancel the selection.
Changing the Time Range for the Search
- Select Search by clicking the Filters () icon.
- Near the top of the left panel, click the time value.
- Click Relative or Absolute:
- If you click Relative, adjust the time value in the Last field.
- If you click Absolute enter a time range. If you select Always Prior, enter a time period prior to the current time.
Saving the Search Criteria
Once you have performed your search, follow these steps to save the search criteria:
- Click the Action (
) icon. - In the "New Filter" field, enter a name for the filter, and click Save.
The filter will be available from the drop-down that appears after clicking the Action () icon, for example:
- When saving a filter based on the List by Time View, it displays in the drop-down list after clicking Filters () > Action ().
- When saving a filter based on the List by Device View, it displays in the drop-down list after clicking Filters () > Action ().
- When saving a filter based on the List by Incident View, it displays in the drop-down list after clicking Filters () > Action ().
Using Search for MITRE ATT&CK Incidents
To find incidents that fall into any of the MITRE ATT&CK categories, follow these steps:
- Select Search by clicking the Filters () icon.
- Click Tactics or Technique in the left pane.
The total number of security incidents will appear under the selected MITRE ATT&CK category. - Select one or more checkboxes next to the categories of interest.
The incidents associated with the category are displayed.
For more information on MITRE ATT&CK views and MITRE ATT&CK categories, see MITRE ATT&CK View.