Fortinet black logo

User Guide

Home FortiNDR Cloud User Guide

Triage rules

Triage rules

The Triage Rules view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the rule.

To view the Triage Rules page:
  1. Go to Detections > Triage Rules. The Detections > Rules page opens.
  2. (Optional) Filter the rules on the page.

    Search

    Enter the technique ID, technique name or technique description.

    Rules are filtered based on the prefix matching the selected technique ID. IfTechnique T1234 is entered, the rules returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.

    Severity

    Select High (H), Medium (M), or Low (L).

    Additional Filters

    Click the filter icon to view additional filters.

    Filter

    Description

    CategoryFilter the rules by category. See, Rule Categories.
    Created ByFilter by the account that created the rule.
    TechniqueFilter by the technique used for the detection.
    Confidence

    Select High (H), Medium (M), or Low (L).

    Detection Status

    Select All, Active or Idle.

    ActiveRule has at least one Active (not Muted) detection.
    IdleRule has zero Active (not Muted) detections.
    MutedSelect Unmuted or Muted. See, Muting rules.
    DisabledSelect Enabled or Disabled. See, Disabling rules.
    Order ByOrder the rules by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen.
  3. Click a rule to open the Details page. The following information is displayed:

    Category

    The attack category.

    First Seen

    The UTC date and time the first event associated with the detection occurred.

    Last Seen

    The UTC date and time of the last known event tied to the rule was observed.

    Rule Updated

    The UTC date and time the rule was modified.

    Resolution Method

    • Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.

    • Manual: The detection will remain active until an analyst resolves the detection.

    MITRE ATT&CK

    The MITRE ATT&CK ID.

    Primary Technique

    The primary attack name and ID.

    Specificity

    Behaviors

    The behavior coverage.

    DescriptionA description of the detection.
    Next StepsRecommendations to resolve the detection.
    Show Matching EventsClick to view the Entity Lookup.
    AuthorThe rule author.
    Impacted Device FieldThe fields used to generate the detection. The internal IP address in the src.ip or dst.ip fields is the default.
    Indicator Fields

    The indicators the rule uses to generate the detection.

    Tooltip

    This information is useful for identifying related activity and tracking indicators over time.

    Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

    Impacted devices

    The active detections for the rule. All Active dectections are displayed by default. You can create a filter to view Muted or Resolved detections.

    You can use this tab to resolve detections or to search for a device by IP.

    Signature

    This tab displays the IQL signature defined for the rule.You can use a query string to create a custom rule. See, Adding custom filters to a rule signature.

    Events

    This tab displays all of the events that have matched the rule's signature.

    • Left-click on an entity to open the Entity Panel.

    • Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).

    • Hover a column header to lock, sort or arrange the columns.

    Note

    These events are duplicates of the original matching event. When an event matches a rule's signature, a copy is created and added to the rule's list of Latest Events so the event remains associated with the rule.

    This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the rule rarely fires.

    Indicators

    This tab displays the field value extracted from a detection's event(s) as defined by the detection rule.

    This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.

    Detections Graph

    The Detections Graph plots a rule's detection volume over time.

    If a posture-related rule fires constantly, the graph will help show whether the issue is improving or worsening over time.

Previous
Next

Triage rules

The Triage Rules view is the landing page for the Detections tab. Use this view to review and respond to detections triggered by the rule.

To view the Triage Rules page:
  1. Go to Detections > Triage Rules. The Detections > Rules page opens.
  2. (Optional) Filter the rules on the page.

    Search

    Enter the technique ID, technique name or technique description.

    Rules are filtered based on the prefix matching the selected technique ID. IfTechnique T1234 is entered, the rules returned include its sub-techniques T1234.001, T1234.002, T1234.003, etc.

    Severity

    Select High (H), Medium (M), or Low (L).

    Additional Filters

    Click the filter icon to view additional filters.

    Filter

    Description

    CategoryFilter the rules by category. See, Rule Categories.
    Created ByFilter by the account that created the rule.
    TechniqueFilter by the technique used for the detection.
    Confidence

    Select High (H), Medium (M), or Low (L).

    Detection Status

    Select All, Active or Idle.

    ActiveRule has at least one Active (not Muted) detection.
    IdleRule has zero Active (not Muted) detections.
    MutedSelect Unmuted or Muted. See, Muting rules.
    DisabledSelect Enabled or Disabled. See, Disabling rules.
    Order ByOrder the rules by Impacted Devices, Muted Devices, Severity, Confidence, Category, or Last Seen.
  3. Click a rule to open the Details page. The following information is displayed:

    Category

    The attack category.

    First Seen

    The UTC date and time the first event associated with the detection occurred.

    Last Seen

    The UTC date and time of the last known event tied to the rule was observed.

    Rule Updated

    The UTC date and time the rule was modified.

    Resolution Method

    • Automatic: The detection will be resolved if events containing the same host and sensor ID are not observed for the specified time period.

    • Manual: The detection will remain active until an analyst resolves the detection.

    MITRE ATT&CK

    The MITRE ATT&CK ID.

    Primary Technique

    The primary attack name and ID.

    Specificity

    Behaviors

    The behavior coverage.

    DescriptionA description of the detection.
    Next StepsRecommendations to resolve the detection.
    Show Matching EventsClick to view the Entity Lookup.
    AuthorThe rule author.
    Impacted Device FieldThe fields used to generate the detection. The internal IP address in the src.ip or dst.ip fields is the default.
    Indicator Fields

    The indicators the rule uses to generate the detection.

    Tooltip

    This information is useful for identifying related activity and tracking indicators over time.

    Rules can define up to five fields to extract indicators from, and each detection can store up to five unique indicators for each indicator field.

    Impacted devices

    The active detections for the rule. All Active dectections are displayed by default. You can create a filter to view Muted or Resolved detections.

    You can use this tab to resolve detections or to search for a device by IP.

    Signature

    This tab displays the IQL signature defined for the rule.You can use a query string to create a custom rule. See, Adding custom filters to a rule signature.

    Events

    This tab displays all of the events that have matched the rule's signature.

    • Left-click on an entity to open the Entity Panel.

    • Right-click a field to open its menu (for example, Search Events, Targeted Search and Copy to Clipboard).

    • Hover a column header to lock, sort or arrange the columns.

    Note

    These events are duplicates of the original matching event. When an event matches a rule's signature, a copy is created and added to the rule's list of Latest Events so the event remains associated with the rule.

    This list can display up to the last 1000 matching events. Events could remain in the list in perpetuity if the rule rarely fires.

    Indicators

    This tab displays the field value extracted from a detection's event(s) as defined by the detection rule.

    This information is useful for identifying related activity and tracking indicators over time. Rules can define up to five fields to extract indicators from and each detection can store up to five unique indicators for each indicator field.

    Detections Graph

    The Detections Graph plots a rule's detection volume over time.

    If a posture-related rule fires constantly, the graph will help show whether the issue is improving or worsening over time.

Previous
Next