Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.1 User Guide
    7.5.1
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Event Tagging

    Event Tagging

    Event Tagging enables you to set additional attributes for events that are not necessarily present in the events. You can also use this to overwrite parsed attributes already in the event. Event Tagging can be accomplished in two ways:

    • Policy Based Event Tagging: By writing tagging rules using event attributes.

    • File Based Event Tagging: By using tagging information from files.

    Please read the Implementation Notes before creating your Event Tagging.

    Creating Policy Based Event Tagging

    Policy Based Event Tagging consists of your custom condition (rule) and one or more tags. Each incoming event is checked against these Policy Based Event Taggings sequentially from top-to-bottom order. When a match is found, the tag or attribute defined in that Policy Based Event Tagging is applied to the event. All matches are considered, so latter Policy Based Event Taggings may overwrite the Taggings set in earlier matches. Use the Up and Down buttons to adjust this order.

    To create a Policy Based Event Tagging, take the following steps:

    1. Navigate to Admin > Settings > Event Pipeline > Event Tagging.

    2. Under Policy based Event Tagging, click +.

    3. In the Name field, enter the Event Tagging name.

    4. Add a check to the Enabled checkbox to enable.

    5. Under Condition, define the condition(s) for event tagging. See Defining Rule Conditions.

    6. Under Tag, specify the tag attribute. To add another tag, under Row, click on +.

    7. Click Save when done.

    8. Click the Apply () icon to apply the saved changes. Policy Based Event Tagging will now use the latest changes.

    Creating File Based Event Tagging

    File Based Event Tagging allows you to set event attributes by using values defined in a Comma Separated Values (CSV) file. This approach may be useful when there are too many Policy Based Event Taggings to write and the Tagging may be available in a file likely exported from another system.

    You can write multiple File Based Event Tagging rules. Each incoming event is checked against these rules sequentially from top-to-bottom order. When a match is found, the tag or attribute defined in that file is applied to the event. All matches are considered, so latter files may overwrite the tags set in earlier matches. Use the Up and Down buttons to adjust this order.

    The CSV file must adhere to the following:

    Row

    Objects
    First row Column Header (Key).
    Following rows Key-Value pair. There must be a corresponding Key-value pair for each Key.

    Each object is separated by a comma (,).

    Example Structure/Content:

    Key1,Key2,Key3,Key4

    Key1-Value1,Key2-Value1,Key3-Value1,Key4-Value1

    Key1-Value2,Key2-Value2,Key3-Value2,Key4-Value2

    After providing the CSV file, you must then configure the condition and tag(s). An example is available here.

    To create File Based Event Tagging, follow these steps:

    1. Navigate to Admin > Settings > Event Pipeline > Event Tagging.

    2. Under File based Event Tagging, click +.

    3. In the Name field, enter the Event Tagging name.

    4. From File, click Choose File, select a .csv file, and click Save.

    5. From the Organization drop-down list, select the organization that this policy will apply to (Global, or a specific organization).

    6. Under Condition, define the condition for event tagging. See Defining Rule Conditions.

    7. Under Tag, specify the tag attributes. To add another tag, under Row, click +.

    8. Click Save.

    9. Click the Apply () icon to apply the saved changes. File Based Event Tagging will now use the latest changes.

    File Based Event Tagging Example

    To illustrate Event Tagging via file, let's say we have the following CSV file content:

    IP,Department

    10.1.1.1,Engineering

    10.1.1.2,Engineering

    10.2.2.1,Finance

    10.2.2.2,Finance

    After uploading the file, you configure the following:

    Condition:

    Event Attribute Operator Column Name
    Source IP = IP

    Tag:

    Event Attribute Operator Column Name
    Dept = Department

    Prior to Event Tagging:

    Event E1: Source IP = 10.1.1.1

    Event E2: Source IP = 10.2.2.1

    With Event Tagging:

    Event E1: Source IP = 10.1.1.1, Dept: Engineering

    Event E2: Source IP = 10.2.2.1, Dept: Finance

    Implementation Notes

    The following tagging rules should be kept in mind:

    1. For each event, first Policy Based Event Taggings are applied and then File Based Event Taggings are applied.

    2. For each Policy Based Event Tagging and File Based Event Tagging:

      1. Rules are applied sequentially in top-to-bottom order.

      2. All matches are considered, so latter rules may overwrite earlier matches.

    3. Policy Based Event Tagging and File Based Event Tagging each have their own Apply buttons. Click these separately to deploy the changes. Only after this operation will new tagging changes be applied.

    Previous
    Next

    Event Tagging

    Event Tagging

    Event Tagging enables you to set additional attributes for events that are not necessarily present in the events. You can also use this to overwrite parsed attributes already in the event. Event Tagging can be accomplished in two ways:

    • Policy Based Event Tagging: By writing tagging rules using event attributes.

    • File Based Event Tagging: By using tagging information from files.

    Please read the Implementation Notes before creating your Event Tagging.

    Creating Policy Based Event Tagging

    Policy Based Event Tagging consists of your custom condition (rule) and one or more tags. Each incoming event is checked against these Policy Based Event Taggings sequentially from top-to-bottom order. When a match is found, the tag or attribute defined in that Policy Based Event Tagging is applied to the event. All matches are considered, so latter Policy Based Event Taggings may overwrite the Taggings set in earlier matches. Use the Up and Down buttons to adjust this order.

    To create a Policy Based Event Tagging, take the following steps:

    1. Navigate to Admin > Settings > Event Pipeline > Event Tagging.

    2. Under Policy based Event Tagging, click +.

    3. In the Name field, enter the Event Tagging name.

    4. Add a check to the Enabled checkbox to enable.

    5. Under Condition, define the condition(s) for event tagging. See Defining Rule Conditions.

    6. Under Tag, specify the tag attribute. To add another tag, under Row, click on +.

    7. Click Save when done.

    8. Click the Apply () icon to apply the saved changes. Policy Based Event Tagging will now use the latest changes.

    Creating File Based Event Tagging

    File Based Event Tagging allows you to set event attributes by using values defined in a Comma Separated Values (CSV) file. This approach may be useful when there are too many Policy Based Event Taggings to write and the Tagging may be available in a file likely exported from another system.

    You can write multiple File Based Event Tagging rules. Each incoming event is checked against these rules sequentially from top-to-bottom order. When a match is found, the tag or attribute defined in that file is applied to the event. All matches are considered, so latter files may overwrite the tags set in earlier matches. Use the Up and Down buttons to adjust this order.

    The CSV file must adhere to the following:

    Row

    Objects
    First row Column Header (Key).
    Following rows Key-Value pair. There must be a corresponding Key-value pair for each Key.

    Each object is separated by a comma (,).

    Example Structure/Content:

    Key1,Key2,Key3,Key4

    Key1-Value1,Key2-Value1,Key3-Value1,Key4-Value1

    Key1-Value2,Key2-Value2,Key3-Value2,Key4-Value2

    After providing the CSV file, you must then configure the condition and tag(s). An example is available here.

    To create File Based Event Tagging, follow these steps:

    1. Navigate to Admin > Settings > Event Pipeline > Event Tagging.

    2. Under File based Event Tagging, click +.

    3. In the Name field, enter the Event Tagging name.

    4. From File, click Choose File, select a .csv file, and click Save.

    5. From the Organization drop-down list, select the organization that this policy will apply to (Global, or a specific organization).

    6. Under Condition, define the condition for event tagging. See Defining Rule Conditions.

    7. Under Tag, specify the tag attributes. To add another tag, under Row, click +.

    8. Click Save.

    9. Click the Apply () icon to apply the saved changes. File Based Event Tagging will now use the latest changes.

    File Based Event Tagging Example

    To illustrate Event Tagging via file, let's say we have the following CSV file content:

    IP,Department

    10.1.1.1,Engineering

    10.1.1.2,Engineering

    10.2.2.1,Finance

    10.2.2.2,Finance

    After uploading the file, you configure the following:

    Condition:

    Event Attribute Operator Column Name
    Source IP = IP

    Tag:

    Event Attribute Operator Column Name
    Dept = Department

    Prior to Event Tagging:

    Event E1: Source IP = 10.1.1.1

    Event E2: Source IP = 10.2.2.1

    With Event Tagging:

    Event E1: Source IP = 10.1.1.1, Dept: Engineering

    Event E2: Source IP = 10.2.2.1, Dept: Finance

    Implementation Notes

    The following tagging rules should be kept in mind:

    1. For each event, first Policy Based Event Taggings are applied and then File Based Event Taggings are applied.

    2. For each Policy Based Event Tagging and File Based Event Tagging:

      1. Rules are applied sequentially in top-to-bottom order.

      2. All matches are considered, so latter rules may overwrite earlier matches.

    3. Policy Based Event Tagging and File Based Event Tagging each have their own Apply buttons. Click these separately to deploy the changes. Only after this operation will new tagging changes be applied.

    Previous
    Next