Home

FortiSIEM Library

Support

Fuse





  • All Files

Home

> Managing Resources > Rules > Creating a Rule

Creating a Rule

Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the triggering conditions and any exceptions or clear conditions. You can also create a rule by cloning an existing rule using the Clone button and editing it. 

Note: Do not use certain keywords in sub-pattern names - regexp

Follow the procedure below to create a rule:

  1. Go to RESOURCES > Rules.
  2. Select the group where you want to add the new rule.
  3. Click New.
  4. Enter a Rule Name and Description.
  5. Enter the Remediation.
  6. Under Conditions, click Subpattern to create the rule conditions.
  7. Select a Severity to associate with the incident triggered by the rule. 
  8. Select Dashboard to view the report under DASHBOARD tab.
  9. Select a Category for the incident triggered by the rule.
  10. For Attributes, enter the functional area, such as Security, that you want to associate the rule with. 
  11. Enter a Notification frequency for how often you want notifications to be sent when an incident is triggered by this rule. 
  12. Select the Function type from the drop-down.
  13. For Actions, click the edit icon to define the incident that will be generated by this rule.
    You must have at least one incident defined before you can save your rule.  
  14. For Watch Lists, click the edit icon to add a watch list to the rule.
  15. To define any Exceptions for the rule, click the edit icon.
  16. To define any Clear conditions for the rule, click the edit icon.
  17. Click Save.
    Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should test it. 

Activating and Deactivating a Rule

When you create a new rule, you must activate it before it will start to monitor events. You may also want to deactivate a rule, for example to test it, instead of deleting it from the system. 

  1. Go to RESOURCES > Rules.
  2. Browse or search to find the rule that you want to activate or deactivate.
  3. Select Active for the rule to activate, or clear the Active option to deactivate the rule. 

 

Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy