List View

This tabular view enables the user to search incidents and take actions.

Viewing Incidents

Go to ANALYTICS > List to see this view. This view can set as the default view by selecting Incident Home in ADMIN > General Settings > System > UI > UI Settings.

List view will automatically refresh every minute by default. The refresh menu on top bar allows the user to disable the automatic refresh or choose a different refresh interval. By default, the Active Incidents in the last 2 hours are shown. The latest incident sorted by Last Occurred time is shown first.

The following incident attributes are shown for each incident:

  • Severity - High (Red), MEDIUM (Yellow) or LOW (Green)
  • Last Occurred - last time this incident occurred
  • Incident - name of the incident
  • Reporting - set of devices that is reporting the incident
  • Source - source of the incident (host name or IP address)
  • Target - target of the incident (host name or IP address or user)
  • Detail - other incident details, for example, Counts, Average CPU utilization, file name and so on.

To see the detail of an incident, click on the incident. A bottom panel appears that shows more details about the incident, namely;

  • Details - includes the full list of incident attributes that are not shown in the top pane.

    Column Description
    IncidentUnique ID of the incident in the Incident database
    Incident Type Event type associated with this incident. All incidents with the same name has the same Incident Type.
    SeverityIncident Severity in the numerical range 0-10 (0-4 is set as Low, 5-8 as Medium and 9-10 as High)
    First OccurredFirst time the incident occurred
    Incident StatusIncident can be one of these states:
    - Active: an ongoing incident
    - Cleared: cleared manually by a user
    - System Cleared: cleared by the system – rule clearance logic can be set in the rule definition
    - External Cleared: cleared in the external ticketing system
    Count Number of time this incident has occurred with the same incident source and target criteria.
    Reporting IPIP addresses of the devices reporting the incident
    Organization Organization of the reporting device (for Service Provider installations)
    Biz Service Impacted biz services to which either the incident source or target belongs
    Incident Comments Comments added by the user
    View Status Whether the Incident has been Read or Not
    Cleared Reason User specified reason for clearing an incident
    Cleared Time Time at which incident was cleared
    Cleared User User who cleared the incident
    Notification Status Status of Notification – Success or Failed
    Notification Recipient User who was notified about the incident
    Ticket IDID of a ticket if created in FortiSIEM
    Ticket StatusStatus of a ticket if created in FortiSIEM
    Ticket User User assigned to a ticket if created in FortiSIEM
    External Ticket IDID of a ticket in an external ticketing system such as ServiceNow, ConnectWise etc.
    External Ticket TypeType of the external ticketing system (ServiceNow, ConnectWise, Salesforce, Remedy)
    External Ticket State State of a ticket in an external ticketing system
    External User External user assigned to a ticket in an external ticketing system
    External Cleared Time Time at which the incident was resolved in an external ticketing system
    External Resolve Time Resolution time in an external ticketing system
  • Events - this shows the set of events that triggered the incident. If an incident involves multiple sub-patterns, select the sub-pattern to see the events belonging to that sub-pattern. For Raw Event Log column, click Show Details from the drop-down to see the parsed fields for that event.

To close the incident details pane, click on the highlighted incident.

Acting on Incidents

The Actions menu provides a list of actions that can be taken on incidents. To see a Location View of the incidents, select Locations from the Actions menu. FortiSIEM has a built in database on locations of public IP addresses. Private IP address locations can be defined in ADMIN > General Settings > Discovery > Location.

To change the incident attribute display columns in the List View, select Display from the Actions menu, select the desired attributes and click Close.

You can perform the following operations using the Actions menu:

Searching Incidents

  1. Select Search from the Actions menu.
  2. In the left pane, click on an Incident attribute (for example, Function). All possible values of the selected attribute with a count next to it is shown (for example, Security, Availability and Performance for Function).
  3. Select any value (for example, Performance) and the right pane updates with the relevant incidents.
  4. Click and select other Incident Attributes to refine the Search or click X to cancel the selection.

Clearing one or more incidents

  1. Search the specific incidents and move them into the right pane.
  2. Select the first incident.
  3. Press and hold Shift key and select the last incident – all incidents between the first and the last would be highlighted.
  4. Select Clear Incident from the Actions menu.
  5. Enter a Reason for clearing.
  6. Click OK.

Disable one or more rules

  1. Search the specific incidents and move them into the right pane.
  2. Select the first incident.
  3. Press and hold Shift key and select the last incident – all incidents between the first and the last would be highlighted.
  4. Select Disable Rule from the Actions menu.
  5. For Service Provider installations, select the Organizations for which to disable the rule.
  6. Click OK.

Adding or editing comments for one or more incidents

  1. Search the specific incidents and move them into the right pane.
  2. Select the first incident.
  3. Press and hold Shift key and select the last incident – all incidents between the first and the last would be highlighted.
  4. Select Edit Comment from the Actions menu.
  5. Type the comment or edit the comment in the edit box.
  6. Click OK.

Exporting one or more incidents into a PDF or CSV file

  1. Search the specific incidents and move them into the right pane.
  2. Select the first incident.
  3. Press and hold Shift key and select the last incident – all incidents between the first and the last would be highlighted.
  4. Select Export from the Actions menu.
  5. Type the comment or edit the comment in the edit box.
  6. Select the Output Format and Maximum Rows.
  7. Click Generate.
    A file will be downloaded in your browser.

Fine tuning a rule triggering an Incident

  1. Select an incident.
  2. Select Edit Rule from the Actions menu.
  3. In the Edit Rule dialog box, make the required changes.
  4. Click OK.

Creating an exception for the rule

  1. Select an incident.
  2. Select Edit Rule Exception from the Actions menu.
  3. In the Edit Rule Exception dialog box, make the required changes.
    1. For Service provider deployments, select the Organizations for which the exception will apply.
    2. Select the exception criteria:
      1. For incident attribute based exceptions, select the incident attributes for which rule will not trigger.
      2. For time based exceptions, select the time for which rule will not trigger.
      3. Select AND/OR between the two criteria.
      4. Add Notes.
    3. Click Save.

Creating Event Dropping Rules

Event Dropping Rules may need to be created to prevent an incident from triggering. To create such a rule:

  1. Select an incident.
  2. Select Edit Rule Exception from the Actions menu
  3. In the Event Dropping Rule dialog box, enter the event dropping criteria:
    1. Organization - For Service provider deployments, Select the organizations for which the exception will apply.
    2. Reporting Device - Select the device whose reported events will be dropped.
    3. Event Type - Select the matching event types.
    4. Source IP - Select the matching source IP address in the event.
    5. Destination IP - Select the matching destination IP address in the event.
    6. Actions - Choose between dropping the events completely or storing in event database and not triggering.
    7. Regex filter - Select a regex filter to match the raw event log.
    8. Description - add a description for the drop rule.
  4. Click Save.
    The Rule will be appear in ADMIN > General Settings > Event Handling > Dropping.

Emailing incidents

Incidents can be emailed to one or more recipients. First make sure that Email settings are properly defined in ADMIN > General Settings > System > Email. Note that this email notification from the Incident page is somewhat adhoc and has to be manually setup by the user after incident has triggered. To define an automatic notification, create an Incident Notification Policy in ADMIN > General Settings > Notification. To email one or more incidents on demand:

  1. Search the specific incidents and move them into the right pane.
  2. Select the first incident.
  3. Press and hold Shift key and select the last incident – all incidents between the first and the last would be highlighted.
  4. Select Email Incidents from the Actions menu and enter the following information:
    1. Send To – a list of receiver email addresses separated by comma.
    2. Email template – Choose the email template. If you do not want default email template, then you can create your own in ADMIN > General Settings > System > Email > Incident Email Template.

Creating a Remediation action

Incidents can be mitigated by deploying a mitigation script, example blocking an IP in a firewall or disabling a user in Active Directory. Note that this type of incident mitigation from the Incident page is somewhat adhoc and has to be manually setup by the user after incident has triggered.

To define an automatic remediation, create an Incident Notification Policy in ADMIN > General Settings > Notification and choose the Remediation action. To create a remediation action:

  1. Select an incident.
  2. Select Remediate from the Actions menu.
  3. Choose the Remediation script from the drop-down menu.
  4. Choose the Enforce On devices – the script will run on those devices. Make sure that FortiSIEM has working credentials for these devices defined in ADMIN > Setup > Credentials.