Activating and Deactivating a Rule

Activating a Rule Without a Workflow

If you have permission to activate a rule, follow these steps: You may also want to deactivate a rule, for example to test it, instead of deleting it from the system. 

  1. Go to RESOURCES > Rules.
  2. Browse or search to find the rule that you want to activate or deactivate.
  3. Select Active in the Active column to activate the rule, or clear the Active option to deactivate the rule. 

Activating a Rule Using a Workflow

Follow these steps to activate a rule by using a workflow.

Step 1 - Create Appropriate Roles for Users

Complete these steps to create a role that will require approval for rule activation/deactivation requests.

  1. Go to ADMIN > Settings > Role > Role Management.
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Rule Activation/Deactivation option is not checked.
  4. Save the role definition.

 

Complete these steps to create a role that can approve rule activation/deactivation requests.

  1. Go to ADMIN > Settings > Role > Role Management
  2. Click New to create a new role or edit an existing role by selecting a role from the table and clicking Edit.
  3. Make sure the Approver > Rule Activation/Deactivation option is checked.
  4. Save the role definition.

Step 2 - Map Users to Appropriate Roles

  1. Go to CMDB > Users.
  2. Select a user from the table and click Edit.
  3. In the Edit User dialog box, select the System Admin option, and click the Edit icon.
  4. Select the Requestor or Approver role as appropriate.

Step 3 - Request Rule to be Activated/Deactivated

  1. Go to RESOURCES > Rules.
  2. Select a rule, then check or uncheck the active column status as needed. The Create New Request dialog box opens.
  3. If the role requires approval, select an approver from the Approver drop-down list.
  4. Click Submit.
  5. The approver will receive an email with a link to log back in to FortiSIEM and approve the request.

Step 4 - Approve the Rule Activation/Deactivation Requests

  1. Login to FortiSIEM using a role that can approve rule activation/deactivation requests.
  2. Click Approval. The table in the TASKS page lists pending requests.
  3. To process the requests, scroll to the right-hand end of the row.
  4. From the drop-down list, select Approve or Reject.
    • If you select Approve, the Approve Request dialog box opens. You can choose whether the request is valid Until or For the date and time listed in the time stamp field. You can click the time stamp field to choose a different date and time.
    • If you choose Reject, the Reject Request dialog box opens where you can enter a reason for the rejection.
  5. If you choose Approve, the rule will be enabled or disabled.

Step 5 - View the Rule Activation/Deactivation Request Status

Complete this step to see the status of your rule activation/deactivation requests.

  1. Login to FortiSIEM using the same account as in Step 3.
  2. Click Request. The table in the TASKS page shows the status of requests.

Activating/Deactivating Multiple Rules

If you have permission to activate a rule, follow these steps to activate/deactivate multiple rules with a single click. 

  1. Go to RESOURCES > Rules.
  2. Click the Edit icon ( )and select Multiple Rules.
  3. From the Edit Multiple Rules window, take the following steps:

    1. In the leftmost panel, expand Rules, and rule categories/sub-categories  (Availability, Network, etc...) to locate your rule(s) in the middle panel.

    2. In the middle panel, select your rule(s) you wish to make activation/deactivation changes to. You can use Shift-Click to select a group of ascending or descending rules from your first selection. You can also use Ctrl-Click to individually select a group of rules.

    3. Click > to add the selected rule(s) for activation/deactivation.
      Note: You can also select a rule in the rightmost panel and click < to remove it from the group selection.

    4. When you are done selecting all the rules you wish to make an activation/deactivation change to, in the Select Actions panel, take any of the following actions:

      • Select a Severity from the Severity drop-down list to change for your selected rules.

      • Select/deselect Active Status for New Org, to make the selected rules active or inactive for new organizations by default.

      • From the All Status for Existing Orgs and specific org checkboxes, add a check to the checkbox to make the selected rules for that organization active, or remove the checkmark from a checkbox to make the selected rules inactive for that particular organization.

  4. When done, click Save.