Understanding Search Components

To perform a well-defined Search, specify the following:

  • Search filters – this specifies which data will be included in the Search.
  • Search Time Window – only events that have been received by FortiSIEM within this time window will be part of the search.
  • Aggregations and Display fields – this specifies how the data will be grouped and which fields will be displayed in the search result.
  • Organizations for a Service Provider deployment – only events belonging to this organization will be included in the Search.

To specify Search Filters:

  1. Click on the Edit Filters and Time Range edit box.
  2. Click + under Row and specify a filter condition.
    1. Attribute - Choose an event attribute from the drop-down or build an expression using the expression builder.
    2. Operator - Choose the operator from the drop-down.
    3. Value - Type in a value in the edit box or choose from CMDB or build an expression using the expression builder
  3. If more than one filter condition is needed, then:
    1. Specify the AND/OR operator.
    2. Specify the next filter condition.
    3. Apply parenthesis if needed to prioritize filter evaluation by clicking + on the Paren icon
  4. Note that the rows can be deleted by clicking on the - on the Row and Paren.

To specify Search Filters and Time Window:

  1. Click on the Edit Filters and Time Range edit box.
  2. Specify the time window:
    1. Real time mode – only from the current time onwards.
    2. Historical mode – for previous time periods that have already occurred. Select Relative or Absolute option.
      1. For Relative option, the query will run for a duration in the past, starting from current time. Choose the time scale (Minutes/Hours/Days) and the quantity.
      2. For Absolute option, the query will run for a specific time window in the past. There are two ways to specify this:
        1. Using two explicitly defined time epochs.
        2. Using Always prior option to define time-periods like last 1 week or last 2 months. If you are interested in re-running the same report on a daily basis, then you do not have to change the time period.

To specify Display Fields:

  1. Click on the Column icon to create a display column.
  2. Enter an attribute.
    1. For non-aggregated search, choose the event attribute from the drop down list. If the attribute is not on the list then type in a part of the attribute name to see some matches (for example, typing “IP” will show “Source IP” which is not on the list).
    2. For aggregated search, enter an event Attribute or create an expression using the Expression Builder, described below.
  3. Optionally, select the Order of display as ASC (ascending) or DESC (descending) if the search result needs to show the results ordered by this column. Choose this order carefully. If multiple columns have Order specified, then the system will order the column that appears first and then go on to the other columns in order of appearance in the Display Column page
  4. If you want a column heading to display differently than the attribute, choose the desired name as Display As. A common use is naming the expression “COUNT(Matched Events)” as “Count”.
  5. The search results are displayed in the order of the columns. You can alter the position of a column by clicking the Move up and down arrows.

To specify Organizations in a Service Provider deployment, simply select the organizations from the drop-down.

Examples of Operators in Expressions

Operator Argument Example
COUNT Matched Events COUNT (Matched Events)
COUNT DISTINCT Any non-numerical attribute that is not unique COUNT DISTINCT (Host Name)
AVG, MAX, MIN, SUM, Pctile95, PctChange Numerical attribute AVG (CPU Util), MAX (CPU Util), MIN (CPU Util)
LAST, FIRST Numerical attribute LAST (System Uptime), FIRST (System Uptime)
HourOfDay, DayOfWeek Time attribute HourOfDay(Event Receive Time), DayOfWeek (Event Receive Time)
DeviceToCMDBAttr Host name/IP  

Examples of Expressions

Operators with arguments can be combined with +, -, / and * with parenthesis to form an expression. For a good example, see the built in report “Top Devices By System Uptime Pct” which computes the System Uptime percentage using the expression

100 – (100*SUM(System Down Time)/SUM(Polling Interval)).

Examples of various searches

  • Non-aggregate search – see Shortcut > Raw Messages.
  • Aggregate search:
    1. Basic – one attribute and one counting expression - Shortcut > Top Event Types.
    2. Intermediate – two attributes and one counting expression - Shortcut > Top Reporting Devices and Event Types
    3. Advanced – multiple attributes and complex expressions including Device to CMDB attributes:
      1. Reports > Function > Performance > Top Network Interfaces By Util
      2. Reports > Function > Availability > Top Devices By Business Hours Network Ping Uptime Pct
      3. Reports > Incidents By Location and Category