Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.0 User Guide
    7.5.0
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    TABLE OF CONTENTS

    TABLE OF CONTENTS

    FortiSIEM User Guide
    Overview
    FortiSIEM Releases
    What's New in 7.5.0
    What's New in 7.4.2
    What's New in 7.4.1
    What's New in 7.4.0
    What's New in 7.3.5
    What's New in 7.3.4
    What's New in 7.3.3
    What's New in 7.3.2
    What's New in 7.3.1
    What's New in 7.3.0
    What's New in 7.2.7
    What's New in 7.2.6
    What's New in 7.2.5
    What's New in 7.2.4
    What's New in 7.2.3
    What's New in 7.2.2
    What's New in 7.2.1
    What's New in 7.2.0
    What's New in 7.1.9
    What's New in 7.1.8
    What's New in 7.1.7
    What's New in 7.1.6
    What's New in 7.1.5
    What's New in 7.1.4
    What's New in 7.1.3
    What's New in 7.1.2
    What's New in 7.1.1
    What's New in 7.1.0
    What's New in 7.0.4
    What's New in 7.0.3
    What's New in 7.0.2
    What's New in 7.0.1
    What's New in 7.0.0
    Windows Agent Releases
    Content Pack Updates
    Key Concepts
    Getting Started
    Advanced Operations
    CMDB
    Incidents and Cases
    Device Support
    Rules, Reports, and Dashboards
    Advanced Health System
    Managing FortiSIEM
    Administration
    Setup
    Configuring Storage
    Configuring ClickHouse Based Deployments
    Configuring EventDB Based Deployment
    Configuring Elasticsearch Based Deployment
    Changing Event Database
    Changing NFS Server IP
    Setting Organizations and Collectors (Service Provider)
    Setting Collectors (Enterprise)
    Setting Credentials
    Discovering Devices
    Editing Event Pulling
    Editing Performance Monitors
    Configuring Synthetic Transaction Monitoring
    Configuring Maintenance Calendars
    Configuring Windows Agent
    Configuring Linux Agent
    Configuring FortiSIEM Instance for FortiSIEM Manager
    Device Support
    Working with Devices and Applications
    Working with Event Attributes
    Working with Event Types
    Working with Parsers
    Working with Custom Performance Monitors
    Working with Custom Properties
    Creating SNMP System Object Identifiers for devices
    Analyzing Custom Log Files
    Configuring Local Syslog File Ingestion from a Directory
    Configuring Local PCAP File Ingestion from a Directory
    Health
    Viewing Cloud Health
    Viewing Collector Health
    Viewing Agent Health
    Viewing Replication Health
    Viewing Automation Agent Health
    Installing / Uninstalling Automation Service Agent on Collector
    User Activity
    License
    Viewing License Information
    Viewing License Usage
    Working with Nodes
    Provisioning Automation License
    Content Update
    Settings
    System Settings
    UI Settings
    Email Settings
    Image Server Settings
    Cluster Config
    Lookup Settings
    Kafka Settings
    Dashboard Slideshow Settings
    Dashboard Ownership
    PAYG Report
    Trusted Hosts
    FortiGuard Proxy
    FQDN
    API Token
    Analytics Settings
    Scheduled Report Settings
    Incident Notification
    Notifying Microsoft Teams Users via Webhook
    Notifying WhatsApp Users via Webhook
    Notifying Slack Users via Webhook
    Notifying Telegram Users via Webhook
    Custom Webhook Notification
    Incident HTTP Notification
    Incident SNMP Traps Notification
    Remedy Notification
    Subcategory Settings
    Risk Filter Settings
    UEBA High Risk Entity Settings
    UEBA Tags
    Rule Tags
    ML / AI Settings
    Discovery Settings
    Generic
    Device Filter
    Application Filter
    Location
    CMDB Groups
    Monitoring Settings
    Important Processes
    Important Ports
    Important Interfaces
    Excluded Disks
    Windows WMI Filter
    Event Pipeline Settings
    Multiline Syslog
    Event Organization Mapping
    Event Tagging
    Event Forwarding
    Event Dropping
    Database Settings
    ClickHouse Configuration
    ClickHouse Storage Regions
    Creating Retention Policy
    Viewing Online Event Data Usage
    Viewing Archive Event Data
    Event Log Integrity
    Role Settings
    Mapping AD Groups to Roles
    Compliance Settings
    Compliance PCI Settings
    General Settings
    External Authentication Settings
    Automation Policy Settings
    External Integrations
    Ticketing System Integrations
    ServiceNow Integration
    Jira Integration
    ConnectWise Integration
    Salesforce Integration
    CMDB Inbound Integration
    Reputation System Integrations
    VirusTotal Integration
    FortiGuard IOC Lookup Integration
    Configuring Communication through Proxies
    Case Management
    Managing CMDB
    Devices
    Viewing Device Information
    Working with Device Groups
    Adding and Editing Devices
    Performing Operations on Devices
    Associating Parsers to a Device
    Searching for Devices
    Applications
    Viewing Application Information
    Adding and Editing Applications
    Working with Application Groups
    Users
    Viewing User Information
    Adding Users
    Editing User Information
    Performing Operations on Users
    Working with User Groups
    Business Services
    Viewing Business Services
    Creating Business Services
    Working with Business Service Groups
    CMDB Reports
    Creating a CMDB Report
    Scheduling a CMDB Report
    Running a CMDB Report
    Adding CMDB Report to Dashboard
    Managing Resources
    Reports
    Viewing System Reports
    Creating New Reports
    Running System Reports
    Working With Report Design Templates
    Report Designer Overview
    Working with Report Designer Cover Page
    Working with Report Designer - Sections and Objects
    Scheduling Reports
    Importing and Exporting Reports
    Importing and Exporting Report Definitions
    Saved Report Results
    ReportAI
    Rules
    Viewing Rules
    Creating Rules
    Activating and Deactivating a Rule
    Testing a Rule
    Exporting and Importing Rule Definitions
    Importing Sigma Rules
    Machine Learning Jobs
    Viewing Machine Learning Jobs
    Editing a Machine Learning Job
    Deleting a Machine Learning Job
    Watch Lists
    System-defined Watch List
    Creating a Watch List
    Modifying a Watch List
    Using a Watch List
    Exporting and Importing Watch Lists
    Lookup Tables
    Adding a Lookup Table
    Deleting a Lookup Table
    Working with Lookup Table Data
    External Datasets
    Configuring AWS Security Lake
    Configuring AWS S3
    Configuring MySQL
    Configuring Fortinet FortiEDR
    Configuring PostgreSQL
    Configuring Snowflake
    Provider and Dataset Import / Export Operations
    Osquery
    Viewing osquery Templates
    Creating osquery Templates
    Running osquery
    Automation
    Playbooks
    General Concept
    Playbook Designer
    Playbook Steps
    Trigger Steps
    Core Steps
    Evaluate Steps
    Execute Steps
    References Steps
    Email Steps
    Getting Started with Playbooks
    Working with Playbooks and Playbook Collections
    Execution Logs
    Schedules
    Playbook Assets
    Content Hub
    Solution Packs
    Collection: 001 - Investigate Incident
    Collection: 002 - Remediations
    Collection: 003 - Enrichment
    Remediations
    Adding Remediations
    Modifying Remediations
    Deleting Remediations
    FortiSOAR Playbooks
    Viewing FortiSOAR Playbooks
    Updating FortiSOAR Playbooks
    FortiSOAR Connectors
    Viewing Connectors
    Updating Connectors
    Malware Domains
    Adding a Malware Domain
    Modifying a Malware Domain
    Deleting a Malware Domain
    Importing Malware Domains
    Viewing Malware Domains
    Malware IPs
    Adding a Malware IP
    Modifying a Malware IP
    Deleting a Malware IP
    Importing Malware IPs
    Viewing Malware IPs
    Malware Hash
    Adding a Malware Hash
    Modifying a Malware Hash
    Deleting a Malware Hash
    Importing/Updating User-defined Malware Hash
    Viewing Malware Hash
    Malware Processes
    Creating a Malware Process Group
    Adding a Malware Process
    Modifying a Malware Process
    Deleting a Malware Process
    Importing Malware Processes
    Viewing Malware Processes
    Malware URLs
    Adding a Malware URL
    Modifying a Malware URL
    Deleting a Malware URL
    Importing Malware URLs
    Viewing Malware URLs
    Anonymity Network
    Adding Anonymity Networks
    Modifying Anonymity Networks
    Updating Anonymity Networks
    Country Groups
    Creating a Country Group
    Adding a Country Group
    Modifying a Country Group
    Deleting a Country Group
    Changing the Home Country
    Default Password
    Adding a Default Password
    Modifying a Default Password
    Importing and Exporting a Default Password
    Event Types
    Adding an Event Type
    Modifying an Event Type
    Deleting an Event Type
    User Agents
    Adding User Agents
    Modifying User Agents
    Importing and Exporting User Agents
    Networks
    Adding a Network
    Modifying a Network
    Deleting a Network
    Protocols
    Adding a Protocol
    Modifying a Protocol
    Deleting a Protocol
    Working with AlienVault OTX
    Working with Dragos IOCs
    Working with FortiGuard IOCs
    Working with Malware Patrol
    Working with MISP Threatfeeds
    Working with OpenCTI Threatfeeds
    Working with ThreatConnect IOCs
    Working with Custom Threat Feeds that use HTTPS Connectivity
    Working with Cases
    Creating a Case Manually
    Creating a Case Automatically
    Viewing All Cases
    Searching Cases
    Viewing a Case in Depth
    Acting on a Case
    Case Dashboard
    Case Report
    Steps to Update Case Escalation from 6.x-7.1.x to 7.2.x
    Working with Incidents
    Overview
    List View
    Risk View
    Explorer View
    MITRE ATT&CK View
    UEBA View
    Investigating Incidents
    Automated Incident Resolution Recommendation
    Lookups Via External Websites
    CVE-Based IPS False Positive Analysis
    Remediating an Incident using a Script
    Executing a FortiSOAR Playbook on an Incident
    Executing a Playbook with Automation Service
    Running a FortiSOAR Connector on an Incident
    Troubleshooting Incident Trigger
    Working with Analytics Search
    Overview
    Running a Built-in Historical Search
    Creating a New Search
    Creating a Nested Search
    Viewing Real-time Search Results
    Viewing Historical Search Results
    Searches Using Pre-computed Results
    Working with Search Results
    Advanced Search
    Overview
    Running a Built-in Advanced Search
    Creating a New Advanced Search
    Fixing SQL Query Syntax Errors with FortiAI
    Miscellaneous Advanced Search Operations
    Advanced Search Examples
    Federated Search
    Overview
    Observables and Mappings
    Creating a Federated Search
    Creating a Federated Search from Incidents or Analytics
    Miscellaneous Federated Search Operations
    Working with Federated Search Results
    Machine Learning
    Overview
    Anomaly Detection
    Classification
    Clustering
    Forecasting
    Regression
    Automation Audit Events
    Working with Dashboards
    General Operations
    Widget Dashboard
    Summary Dashboard
    Business Service Dashboard
    Identity and Location Dashboard
    Interface Usage Dashboard
    PCI Logging Status Dashboard
    Managing Tasks
    FortiAI
    FortiAI Chat
    Incident Analysis
    Case Analysis
    Log Analysis
    Advanced Search SQL Helper
    FortiSIEM Manager
    FortiSIEM Manager Incidents
    FortiSIEM Manager Incidents Overview View
    FortiSIEM Manager Incidents - List View
    FortiSIEM Manager CMDB Users
    FortiSIEM Manager CMDB Adding Users
    FortiSIEM Manager - Editing User Information
    FortiSIEM Manager Resources
    FortiSIEM Manager Resources Rules
    FortiSIEM Manager Resources Connectors
    FortiSIEM Manager Resources Playbooks
    FortiSIEM Manager Resources - Event Types
    FortiSIEM Manager Admin
    FortiSIEM Manager Setup
    FortiSIEM Manager Health
    FortiSIEM Manager Cloud Health
    FortiSIEM Manager Collector Health
    FortiSIEM Manager License
    Appendix
    Administrative Tools and Information
    Adding Network Interfaces
    Backing Up and Restoring Databases
    Creating and Restoring ESX Snapshots
    Exporting Events from FortiSIEM
    Importing Events into FortiSIEM
    Increasing Collector Event Buffer Size
    Listing Event Attributes seen by Elasticsearch
    Managing Events in EventDB
    Managing FortiSIEM Operations
    ClickHouse Usage Notes
    ClickHouse Index Design
    ClickHouse Operational Overview
    ClickHouse Query Optimization Guidelines
    Handling ClickHouse Node IP Change
    ClickHouse Backup and Restore Steps
    Deleting ClickHouse Organization Data
    Rebalancing Shards
    Advanced Operations
    Migrating ClickHouse Events from FortiSIEM 6.5.x to 6.6.0 or Later
    Post-7.1.1 Upgrade ClickHouse IP Index Rebuilding
    Reference
    Configuration Notes
    Automated CMDB Disk Space Management
    Component Communication and Network Port Usage
    Configuring FortiSIEM Application Server for Proxy Connectivity
    Configuring SSL Socket Certificates
    Editing phoenix_config.txt File
    FortiSIEM Deployment Scenarios
    FortiSIEM OS Updates and Internet Connectivity
    Tuning PostgreSQL Configuration Parameters
    Elasticsearch Usage Notes
    Configuring Elasticsearch Buffer
    Configuring Elasticsearch Timeout
    Dynamic Scripting Limits
    Elasticsearch Feature Compatibility
    Merging Small Elasticsearch Indices into a Big Index
    Differences in Analytics Semantics between EventDB and Elasticsearch
    Elasticsearch Known Issues
    Examples of Custom Performance Monitors
    Custom JDBC Performance Monitor for a Custom Table
    Custom SNMP Monitor for D-Link Interface Network Statistics
    Custom JMX Monitor for IBM Websphere
    Custom SNMP Monitor for D-Link HostName and SysUpTime
    Custom WMI Monitor for Windows Domain and Physical Registry
    Exporting QRadar Logs to FortiSIEM
    FortiEMS Endpoint Tagging
    FortiSIEM Attribute to Observable Mappings
    GUI Notes
    Flash to HTML5 GUI Mapping
    FortiSIEM Charts and Views
    FortiSOAR Integration Notes
    Configuring FortiSOAR for FortiSIEM Integration
    Writing FortiSIEM Compatible FortiSOAR Playbooks
    Functions in Analytics
    Knowledge Base
    FortiSIEM Event Attribute to CEF Key Mapping
    FortiSIEM Event Categories and Handling
    Public Domain Built-in Rules
    License Enforcement
    Parser Specification
    General Parsing Patterns
    Event Format Recognizer Specification
    Parsing Instructions
    Setting Event Attributes
    When Construct
    Choose Construct
    Switch Construct
    Built-in Patterns
    Built-in Functions
    Collect and Set Functions
    Compute Functions
    Conversions Functions
    Extraction Functions
    String Functions
    Python Threat Feed Framework
    Sample Windows Agent Logs
    UEBA Information
    Comparing UEBA Sources
    UEBA based on Log
    UEBA Sample Logs
    Windows Agent System Variables
    Previous
    Next

    TABLE OF CONTENTS

    TABLE OF CONTENTS

    FortiSIEM User Guide
    Overview
    FortiSIEM Releases
    What's New in 7.5.0
    What's New in 7.4.2
    What's New in 7.4.1
    What's New in 7.4.0
    What's New in 7.3.5
    What's New in 7.3.4
    What's New in 7.3.3
    What's New in 7.3.2
    What's New in 7.3.1
    What's New in 7.3.0
    What's New in 7.2.7
    What's New in 7.2.6
    What's New in 7.2.5
    What's New in 7.2.4
    What's New in 7.2.3
    What's New in 7.2.2
    What's New in 7.2.1
    What's New in 7.2.0
    What's New in 7.1.9
    What's New in 7.1.8
    What's New in 7.1.7
    What's New in 7.1.6
    What's New in 7.1.5
    What's New in 7.1.4
    What's New in 7.1.3
    What's New in 7.1.2
    What's New in 7.1.1
    What's New in 7.1.0
    What's New in 7.0.4
    What's New in 7.0.3
    What's New in 7.0.2
    What's New in 7.0.1
    What's New in 7.0.0
    Windows Agent Releases
    Content Pack Updates
    Key Concepts
    Getting Started
    Advanced Operations
    CMDB
    Incidents and Cases
    Device Support
    Rules, Reports, and Dashboards
    Advanced Health System
    Managing FortiSIEM
    Administration
    Setup
    Configuring Storage
    Configuring ClickHouse Based Deployments
    Configuring EventDB Based Deployment
    Configuring Elasticsearch Based Deployment
    Changing Event Database
    Changing NFS Server IP
    Setting Organizations and Collectors (Service Provider)
    Setting Collectors (Enterprise)
    Setting Credentials
    Discovering Devices
    Editing Event Pulling
    Editing Performance Monitors
    Configuring Synthetic Transaction Monitoring
    Configuring Maintenance Calendars
    Configuring Windows Agent
    Configuring Linux Agent
    Configuring FortiSIEM Instance for FortiSIEM Manager
    Device Support
    Working with Devices and Applications
    Working with Event Attributes
    Working with Event Types
    Working with Parsers
    Working with Custom Performance Monitors
    Working with Custom Properties
    Creating SNMP System Object Identifiers for devices
    Analyzing Custom Log Files
    Configuring Local Syslog File Ingestion from a Directory
    Configuring Local PCAP File Ingestion from a Directory
    Health
    Viewing Cloud Health
    Viewing Collector Health
    Viewing Agent Health
    Viewing Replication Health
    Viewing Automation Agent Health
    Installing / Uninstalling Automation Service Agent on Collector
    User Activity
    License
    Viewing License Information
    Viewing License Usage
    Working with Nodes
    Provisioning Automation License
    Content Update
    Settings
    System Settings
    UI Settings
    Email Settings
    Image Server Settings
    Cluster Config
    Lookup Settings
    Kafka Settings
    Dashboard Slideshow Settings
    Dashboard Ownership
    PAYG Report
    Trusted Hosts
    FortiGuard Proxy
    FQDN
    API Token
    Analytics Settings
    Scheduled Report Settings
    Incident Notification
    Notifying Microsoft Teams Users via Webhook
    Notifying WhatsApp Users via Webhook
    Notifying Slack Users via Webhook
    Notifying Telegram Users via Webhook
    Custom Webhook Notification
    Incident HTTP Notification
    Incident SNMP Traps Notification
    Remedy Notification
    Subcategory Settings
    Risk Filter Settings
    UEBA High Risk Entity Settings
    UEBA Tags
    Rule Tags
    ML / AI Settings
    Discovery Settings
    Generic
    Device Filter
    Application Filter
    Location
    CMDB Groups
    Monitoring Settings
    Important Processes
    Important Ports
    Important Interfaces
    Excluded Disks
    Windows WMI Filter
    Event Pipeline Settings
    Multiline Syslog
    Event Organization Mapping
    Event Tagging
    Event Forwarding
    Event Dropping
    Database Settings
    ClickHouse Configuration
    ClickHouse Storage Regions
    Creating Retention Policy
    Viewing Online Event Data Usage
    Viewing Archive Event Data
    Event Log Integrity
    Role Settings
    Mapping AD Groups to Roles
    Compliance Settings
    Compliance PCI Settings
    General Settings
    External Authentication Settings
    Automation Policy Settings
    External Integrations
    Ticketing System Integrations
    ServiceNow Integration
    Jira Integration
    ConnectWise Integration
    Salesforce Integration
    CMDB Inbound Integration
    Reputation System Integrations
    VirusTotal Integration
    FortiGuard IOC Lookup Integration
    Configuring Communication through Proxies
    Case Management
    Managing CMDB
    Devices
    Viewing Device Information
    Working with Device Groups
    Adding and Editing Devices
    Performing Operations on Devices
    Associating Parsers to a Device
    Searching for Devices
    Applications
    Viewing Application Information
    Adding and Editing Applications
    Working with Application Groups
    Users
    Viewing User Information
    Adding Users
    Editing User Information
    Performing Operations on Users
    Working with User Groups
    Business Services
    Viewing Business Services
    Creating Business Services
    Working with Business Service Groups
    CMDB Reports
    Creating a CMDB Report
    Scheduling a CMDB Report
    Running a CMDB Report
    Adding CMDB Report to Dashboard
    Managing Resources
    Reports
    Viewing System Reports
    Creating New Reports
    Running System Reports
    Working With Report Design Templates
    Report Designer Overview
    Working with Report Designer Cover Page
    Working with Report Designer - Sections and Objects
    Scheduling Reports
    Importing and Exporting Reports
    Importing and Exporting Report Definitions
    Saved Report Results
    ReportAI
    Rules
    Viewing Rules
    Creating Rules
    Activating and Deactivating a Rule
    Testing a Rule
    Exporting and Importing Rule Definitions
    Importing Sigma Rules
    Machine Learning Jobs
    Viewing Machine Learning Jobs
    Editing a Machine Learning Job
    Deleting a Machine Learning Job
    Watch Lists
    System-defined Watch List
    Creating a Watch List
    Modifying a Watch List
    Using a Watch List
    Exporting and Importing Watch Lists
    Lookup Tables
    Adding a Lookup Table
    Deleting a Lookup Table
    Working with Lookup Table Data
    External Datasets
    Configuring AWS Security Lake
    Configuring AWS S3
    Configuring MySQL
    Configuring Fortinet FortiEDR
    Configuring PostgreSQL
    Configuring Snowflake
    Provider and Dataset Import / Export Operations
    Osquery
    Viewing osquery Templates
    Creating osquery Templates
    Running osquery
    Automation
    Playbooks
    General Concept
    Playbook Designer
    Playbook Steps
    Trigger Steps
    Core Steps
    Evaluate Steps
    Execute Steps
    References Steps
    Email Steps
    Getting Started with Playbooks
    Working with Playbooks and Playbook Collections
    Execution Logs
    Schedules
    Playbook Assets
    Content Hub
    Solution Packs
    Collection: 001 - Investigate Incident
    Collection: 002 - Remediations
    Collection: 003 - Enrichment
    Remediations
    Adding Remediations
    Modifying Remediations
    Deleting Remediations
    FortiSOAR Playbooks
    Viewing FortiSOAR Playbooks
    Updating FortiSOAR Playbooks
    FortiSOAR Connectors
    Viewing Connectors
    Updating Connectors
    Malware Domains
    Adding a Malware Domain
    Modifying a Malware Domain
    Deleting a Malware Domain
    Importing Malware Domains
    Viewing Malware Domains
    Malware IPs
    Adding a Malware IP
    Modifying a Malware IP
    Deleting a Malware IP
    Importing Malware IPs
    Viewing Malware IPs
    Malware Hash
    Adding a Malware Hash
    Modifying a Malware Hash
    Deleting a Malware Hash
    Importing/Updating User-defined Malware Hash
    Viewing Malware Hash
    Malware Processes
    Creating a Malware Process Group
    Adding a Malware Process
    Modifying a Malware Process
    Deleting a Malware Process
    Importing Malware Processes
    Viewing Malware Processes
    Malware URLs
    Adding a Malware URL
    Modifying a Malware URL
    Deleting a Malware URL
    Importing Malware URLs
    Viewing Malware URLs
    Anonymity Network
    Adding Anonymity Networks
    Modifying Anonymity Networks
    Updating Anonymity Networks
    Country Groups
    Creating a Country Group
    Adding a Country Group
    Modifying a Country Group
    Deleting a Country Group
    Changing the Home Country
    Default Password
    Adding a Default Password
    Modifying a Default Password
    Importing and Exporting a Default Password
    Event Types
    Adding an Event Type
    Modifying an Event Type
    Deleting an Event Type
    User Agents
    Adding User Agents
    Modifying User Agents
    Importing and Exporting User Agents
    Networks
    Adding a Network
    Modifying a Network
    Deleting a Network
    Protocols
    Adding a Protocol
    Modifying a Protocol
    Deleting a Protocol
    Working with AlienVault OTX
    Working with Dragos IOCs
    Working with FortiGuard IOCs
    Working with Malware Patrol
    Working with MISP Threatfeeds
    Working with OpenCTI Threatfeeds
    Working with ThreatConnect IOCs
    Working with Custom Threat Feeds that use HTTPS Connectivity
    Working with Cases
    Creating a Case Manually
    Creating a Case Automatically
    Viewing All Cases
    Searching Cases
    Viewing a Case in Depth
    Acting on a Case
    Case Dashboard
    Case Report
    Steps to Update Case Escalation from 6.x-7.1.x to 7.2.x
    Working with Incidents
    Overview
    List View
    Risk View
    Explorer View
    MITRE ATT&CK View
    UEBA View
    Investigating Incidents
    Automated Incident Resolution Recommendation
    Lookups Via External Websites
    CVE-Based IPS False Positive Analysis
    Remediating an Incident using a Script
    Executing a FortiSOAR Playbook on an Incident
    Executing a Playbook with Automation Service
    Running a FortiSOAR Connector on an Incident
    Troubleshooting Incident Trigger
    Working with Analytics Search
    Overview
    Running a Built-in Historical Search
    Creating a New Search
    Creating a Nested Search
    Viewing Real-time Search Results
    Viewing Historical Search Results
    Searches Using Pre-computed Results
    Working with Search Results
    Advanced Search
    Overview
    Running a Built-in Advanced Search
    Creating a New Advanced Search
    Fixing SQL Query Syntax Errors with FortiAI
    Miscellaneous Advanced Search Operations
    Advanced Search Examples
    Federated Search
    Overview
    Observables and Mappings
    Creating a Federated Search
    Creating a Federated Search from Incidents or Analytics
    Miscellaneous Federated Search Operations
    Working with Federated Search Results
    Machine Learning
    Overview
    Anomaly Detection
    Classification
    Clustering
    Forecasting
    Regression
    Automation Audit Events
    Working with Dashboards
    General Operations
    Widget Dashboard
    Summary Dashboard
    Business Service Dashboard
    Identity and Location Dashboard
    Interface Usage Dashboard
    PCI Logging Status Dashboard
    Managing Tasks
    FortiAI
    FortiAI Chat
    Incident Analysis
    Case Analysis
    Log Analysis
    Advanced Search SQL Helper
    FortiSIEM Manager
    FortiSIEM Manager Incidents
    FortiSIEM Manager Incidents Overview View
    FortiSIEM Manager Incidents - List View
    FortiSIEM Manager CMDB Users
    FortiSIEM Manager CMDB Adding Users
    FortiSIEM Manager - Editing User Information
    FortiSIEM Manager Resources
    FortiSIEM Manager Resources Rules
    FortiSIEM Manager Resources Connectors
    FortiSIEM Manager Resources Playbooks
    FortiSIEM Manager Resources - Event Types
    FortiSIEM Manager Admin
    FortiSIEM Manager Setup
    FortiSIEM Manager Health
    FortiSIEM Manager Cloud Health
    FortiSIEM Manager Collector Health
    FortiSIEM Manager License
    Appendix
    Administrative Tools and Information
    Adding Network Interfaces
    Backing Up and Restoring Databases
    Creating and Restoring ESX Snapshots
    Exporting Events from FortiSIEM
    Importing Events into FortiSIEM
    Increasing Collector Event Buffer Size
    Listing Event Attributes seen by Elasticsearch
    Managing Events in EventDB
    Managing FortiSIEM Operations
    ClickHouse Usage Notes
    ClickHouse Index Design
    ClickHouse Operational Overview
    ClickHouse Query Optimization Guidelines
    Handling ClickHouse Node IP Change
    ClickHouse Backup and Restore Steps
    Deleting ClickHouse Organization Data
    Rebalancing Shards
    Advanced Operations
    Migrating ClickHouse Events from FortiSIEM 6.5.x to 6.6.0 or Later
    Post-7.1.1 Upgrade ClickHouse IP Index Rebuilding
    Reference
    Configuration Notes
    Automated CMDB Disk Space Management
    Component Communication and Network Port Usage
    Configuring FortiSIEM Application Server for Proxy Connectivity
    Configuring SSL Socket Certificates
    Editing phoenix_config.txt File
    FortiSIEM Deployment Scenarios
    FortiSIEM OS Updates and Internet Connectivity
    Tuning PostgreSQL Configuration Parameters
    Elasticsearch Usage Notes
    Configuring Elasticsearch Buffer
    Configuring Elasticsearch Timeout
    Dynamic Scripting Limits
    Elasticsearch Feature Compatibility
    Merging Small Elasticsearch Indices into a Big Index
    Differences in Analytics Semantics between EventDB and Elasticsearch
    Elasticsearch Known Issues
    Examples of Custom Performance Monitors
    Custom JDBC Performance Monitor for a Custom Table
    Custom SNMP Monitor for D-Link Interface Network Statistics
    Custom JMX Monitor for IBM Websphere
    Custom SNMP Monitor for D-Link HostName and SysUpTime
    Custom WMI Monitor for Windows Domain and Physical Registry
    Exporting QRadar Logs to FortiSIEM
    FortiEMS Endpoint Tagging
    FortiSIEM Attribute to Observable Mappings
    GUI Notes
    Flash to HTML5 GUI Mapping
    FortiSIEM Charts and Views
    FortiSOAR Integration Notes
    Configuring FortiSOAR for FortiSIEM Integration
    Writing FortiSIEM Compatible FortiSOAR Playbooks
    Functions in Analytics
    Knowledge Base
    FortiSIEM Event Attribute to CEF Key Mapping
    FortiSIEM Event Categories and Handling
    Public Domain Built-in Rules
    License Enforcement
    Parser Specification
    General Parsing Patterns
    Event Format Recognizer Specification
    Parsing Instructions
    Setting Event Attributes
    When Construct
    Choose Construct
    Switch Construct
    Built-in Patterns
    Built-in Functions
    Collect and Set Functions
    Compute Functions
    Conversions Functions
    Extraction Functions
    String Functions
    Python Threat Feed Framework
    Sample Windows Agent Logs
    UEBA Information
    Comparing UEBA Sources
    UEBA based on Log
    UEBA Sample Logs
    Windows Agent System Variables
    Previous
    Next