Activating and Deactivating a Rule

Activating a Rule Without a Workflow

If you have permission to activate a rule, follow these steps: You may also want to deactivate a rule, for example to test it, instead of deleting it from the system. 

  1. Go to RESOURCES > Rules.
  2. Browse or search to find the rule that you want to activate or deactivate.
  3. Select Active in the Active column to activate the rule, or clear the Active option to deactivate the rule. 

Activating a Rule Using a Workflow

Follow these steps to activate a rule by using a workflow.

Step 1 - Create Appropriate Roles for Users

Complete these steps to create a role that will require approval for rule activation/deactivation requests.

  1. Go to ADMIN > Settings > Role > Role Management.
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Rule Activation/Deactivation option is not checked.
  4. Save the role definition.

 

Complete these steps to create a role that can approve rule activation/deactivation requests.

  1. Go to ADMIN > Settings > Role > Role Management
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Rule Activation/Deactivation option is checked.
  4. Save the role definition.

Step 2 - Map Users to Appropriate Roles

  1. Go to CMDB > Users.
  2. Select a user from the table and click Edit.
  3. In the Edit User dialog box, select the System Admin option, and click the Edit icon.
  4. Select the Requestor or Approver role as appropriate.

Step 3 - Request Rule to be Activated/Deactivated

  1. Go to RESOURCES > Rules.
  2. Select a rule, then check or uncheck the active column status as needed. The Create New Request dialog box opens.
  3. If the role requires approval, select an approver from the Approver drop-down list.
  4. Click Submit.
  5. The approver will receive an email with a link to log back in to FortiSIEM and approve the request.

Step 4 - Approve the Rule Activation/Deactivation Requests

  1. Login to FortiSIEM using a role that can approve rule activation/deactivation requests.
  2. Click Approval. The table in the TASKS page lists pending requests.
  3. To process the requests, scroll to the right-hand end of the row.
  4. From the drop-down list, select Approve or Reject.
    • If you select Approve, the Approve Request dialog box opens. You can choose whether the request is valid Until or For the date and time listed in the time stamp field. You can click the time stamp field to choose a different date and time.
    • If you choose Reject, the Reject Request dialog box opens where you can enter a reason for the rejection.
  5. If you choose Approve, the rule will be enabled or disabled.

Step 5 - View the Rule Activation/Deactivation Request Status

Complete this step to see the status of your rule activation/deactivation requests.

  1. Login to FortiSIEM using the same account as in Step 3.
  2. Click Request. The table in the TASKS page shows the status of requests.