System-defined Watch list
FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.
| Watch list | Description | Attribute Type | Triggering Rules |
|---|---|---|---|
| Accounts Locked | Domain accounts that are locked out frequently | User (STRING) | Account Locked: Domain |
| Application Issues | Applications exhibiting issues | Host Name (STRING) |
IIS Virtual Memory Critical SQL Server Low Buffer Cache Hit Ratio SQL Server Low Log Cache Hit Ratio SQL Server Excessive Deadlock SQL Server Excessive Page Read/Write SQL Server Low Free Pages In Buffer Pool SQL Server Excessive Blocking Database Server Disk Latency Critical SQL Server Excessive Full Scan SQL Server scheduled job failed High Oracle Table Scan Usage High Oracle Non-System Table Space Usage Oracle database not backed up for 1 day Exchange Server SMTP Queue High Exchange Server Mailbox Queue High Exchange Server RPC Request High Exchange Server RPC Latency High Oracle DB Low Buffer Cache Hit Ratio Oracle DB Low Library Cache Hit Ratio Oracle DB Low Row Cache Hit Ratio Oracle DB Low Memory Sorts Ratio Oracle DB Alert Log Error Excessively Slow Oracle DB Query Excessively Slow SQL Server DB Query Excessively Slow MySQL DB Query |
| Availability Issues | Servers, networks or storage devices or Applications that are exhibiting availability issues | Host Name (STRING) | Network Device Degraded - Lossy Ping Response Network Device Down - No Ping Response Server Degraded - Lossy Ping Response Server Down - No Ping Response Server Network Interface Staying Down Network Device Interface Flapping Server Network Interface Flapping Important Process Staying Down Important Process Down Auto Service Stopped Critical network Interface Staying Down EC2 Instance Down Storage Port Down Oracle Database Instance Down Oracle Listener Port Down MySQL Database Instance Down SQL Server Instance Down Service Staying Down - Slow Response To STM Service Down - No Response to STM Service Staying Down - No Response to STM |
| DNS Violators | Sources that send excessive DNS traffic or send traffic to unauthorized DNS gateways | Source IP | Excessive End User DNS Queries to Unauthorized DNS servers Excessive End User DNS Queries Excessive Denied End User DNS Queries Excessive Malware Domain Name Queries Excessive uncommon DNS Queries Excessive Repeated DNS Queries To The Same Domain |
| Denied Countries | Countries that are seeing a high volume of denials on the firewall | Destination Country (STRING) | Excessive Denied Connections From An External Country |
| Denied Ports | Ports that are seeing a high volume of denies on the firewall | Destination Port (INT) | Excessive Denied Connection To A Port |
| Environmental Issues | Environmental Devices that are exhibiting issues | Host name (String) |
UPS Battery Metrics Critical UPS Battery Status Critical HVAC Temp High HVAC Temp Low HVAC Humidity High HVAC Humidity Low FPC Voltage THD High FPC Voltage THD Low FPC Current THD High FPC ground current high NetBoz Module Door Open NetBotz Camera Motion Detected Warning APC Trap Critical APC Trap |
| Hardware Issues | Servers, networks or storage devices that are exhibiting hardware issues | Host Name (String) |
Network Device Hardware Warning Network Device Hardware Critical Server Hardware Warning Server Hardware Critical Storage Hardware Warning Storage Hardware Critical Warning NetApp Trap Critical Network Trap |
| Host Scanners | Hosts that scan other hosts | Source IP |
Heavy Half-open TCP Host Scan Heavy Half-open TCP Host Scan On Fixed Port Heavy TCP Host Scan Heavy TCP Host Scan On Fixed Port Heavy UDP Host Scan Heavy UDP Host Scan On Fixed Port Heavy ICMP Ping Sweep Multiple IPS Scans From The Same Src |
| Mail Violators | End nodes that send too much mail or send mail to unauthorized gateways |
Excessive End User Mail to Unauthorized Gateways Excessive End User Mail | |
| Malware Found | Hosts where malware found by Host IPS /AV based systems and the malware is not remediated | Host Name (String) | Virus found but not remediated Malware found but not remediated Phishing attack found but not remediated Rootkit found Adware process found |
| Malware Likely | Hosts that are likely to have malware - detected by network devices and the determination is not as certain as host based detection | Source IP or Destination IP | Excessive Denied Connections From Same Src Suspicious BotNet Like End host DNS Behavior Permitted Blacklisted Source Denied Blacklisted Source Permitted Blacklisted Destination Denied Blacklisted Destination Spam/malicious Mail Attachment found but not remediated Spyware found but not remediated DNS Traffic to Malware Domains Traffic to Emerging Threat Shadow server list Traffic to Emerging Threat RBN list Traffic to Emerging Threat Spamhaus list Traffic to Emerging Threat Dshield list Traffic to Zeus Blocked IP list Permitted traffic from Emerging Threat Shadow server list Permitted traffic from Emerging Threat RBN list Permitted traffic from Emerging Threat Spamhaus list Permitted traffic from Emerging Threat Dshield list Permitted traffic from Zeus Blocked IP list |
| Port Scanners | Hosts that scan ports on a machine | Source IP | Heavy Half-open TCP Port Scan: Single Destination Heavy Half-open TCP Port Scan: Multiple Destinations Heavy TCP Port Scan: Single Destination Heavy TCP Port Scan: Multiple Destinations Heavy UDP Port Scan: Single Destination Heavy UDP Port Scan: Multiple Destinations |
| Policy Violators | End nodes exhibiting behavior that is not acceptable in typical Corporate networks | Source IP | P2P Traffic detected IRC Traffic detected P2P Traffic consuming high network bandwidth Tunneled Traffic detected Inappropriate website access Inappropriate website access - multiple categories Inappropriate website access - high volume Inbound clear text password usage Outbound clear text password usage Remote desktop from Internet VNC From Internet Long lasting VPN session High throughput VPN session Outbound Traffic to Public DNS Servers |
| Resource Issues | Servers, networks or storage devices that are exhibiting resource issues: CPU, memory, disk space, disk I/O, network I/O, virtualization resources - either at the system level or application level | Host Name (STRING) | High Process CPU: Server High Process CPU: Network High Process Memory: Server High Process Memory: Network Server CPU Warning Server CPU Critical Network CPU Warning Network CPU Critical Server Memory Warning Server Memory Critical Network Memory Warning Network Memory Critical Server Swap Memory Critical Server Disk space Warning Server Disk space Critical Server Disk Latency Warning Server Disk Latency Critical Server Intf Util Warning Server Intf Util Critical Network Intf Util Warning Network Intf Util Critical Network IPS Intf Util Warning Network IPS Intf Util Critical Network Intf Error Warning Network Intf Error Critical Server Intf Error Warning Server Intf Error Critical |
| Virtual Machine CPU Warning Virtual Machine CPU Critical Virtual Machine Memory Swapping Warning Virtual Machine Memory Swapping Critical ESX CPU Warning ESX CPU Critical ESX Memory Warning ESX Memory Critical ESX Disk I/O Warning ESX Disk I/O Critical ESX Network I/O Warning ESX Network I/O Critical Storage CPU Warning Storage CPU Critical NFS Disk space Warning NFS Disk space Critical | |||
| NetApp NFS Read/Write Latency Warning NetApp NFS Read/Write Latency Critical NetApp CIFS Read/Write Latency Warning NetApp CIFS Read/Write Latency Critical NetApp ISCSI Read/Write Latency Warning NetApp ISCSI Read/Write Latency Critical NetApp FCP Read/Write Latency Warning NetApp FCP Read/Write Latency Critical NetApp Volume Read/Write Latency Warning | |||
| NetApp Volume Read/Write Latency Critical EqualLogic Connection Read/Write Latency Warning EqualLogic Connection Read/Write Latency Critical Isilon Protocol Latency Warning | |||
| Routing Issues | Network devices exhibiting routing related issues | Host Name (STRING) |
OSPF Neighbor Down EIGRP Neighbor down OSPF Neighbor Down |
| Scanned Hosts | Hosts that are scanned | Destination IP | Half-open TCP DDOS Attack TCP DDOS Attack Excessive Denied Connections to Same Destination |
| Vulnerable Systems | Systems that have high severity vulnerabilities from scanners | Host Name (STRING) | Scanner found severe vulnerability |
| Wireless LAN Issues | Wireless nodes triggering violations | MAC Address (String) |
Rogue or Unsecure AP detected Wireless Host Blacklisted Excessive WLAN Exploits Excessive WLAN Exploits: Same Source |
Copyright © 2020 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
