List View

This tabular view enables the user to search incidents and take actions.

• Viewing Incidents
• Acting on Incidents

Viewing Incidents

To see this view, click INCIDENTS in the FortiSIEM header. By default, the List by Time view opens. The INCIDENTS view also allows you to filter data by device and by incident.

You can set INCIDENTS as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list. You can filter the INCIDENTS view further by choosing List – by Time, List – by Device, or List – by Incident from the Incident Home drop down list.

An incident's status can be one of the following: 

• Active: An ongoing incident.
• Manually Cleared: Cleared manually by a user - the incident is no longer active.
• Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition.
• System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared.
• Externally Cleared: Cleared in the external ticketing system.

The resolution for an incident can be:

• Open
• True Positive, or
• False Positive

When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be True Positive or False Positive, then you must Clear the Incident.

The following sections describe the three views that are available through the INCIDENTS view:

• List by Time View
• List by Device View
• List by Incident View

List by Time View

The List by Time view displays a table of the incidents which have been active in the last 2 hours. The Last Occurred column contains the incidents sorted by time, with the most recent first. By default, the view refreshes automatically every minute. The refresh menu on the top bar allows the user to disable automatic refresh or choose a different refresh interval.

Unique to the List by Time view is a list of five time range buttons () which appear above the paginator. They allow you to filter data by the last 15 minutes, 1 hour, 1 day, 7 days, or 30 days.

The following attributes are shown for each incident:

• Severity - High (Red), MEDIUM (Yellow), or LOW (Green).
• Last Occurred - last time this incident occurred.
• Incident - name of the incident.
• Tactics - name of the tactics involved with the incident.
• Technique - name of the techniques involved with the incident.
• Reporting - set of devices that is reporting the incident.
• Source - source of the incident (host name or IP address).
• Target - target of the incident (host name or IP address or user).
• Detail - other incident details, for example, Counts, Average CPU utilization, file name, and so on.

To see the incident details, click the incident. A bottom panel appears that shows more details about the incident:

• Details - includes the full list of incident attributes that are not shown in the top pane.
  
  

  Column	Description
  Biz Service	Impacted biz services to which either the incident source or target belongs.
  Category	Category of incidents triggered.
  Cleared Reason	For manually cleared incidents, this displays the reason the incident was cleared.
  Cleared Time	Time when the incident was cleared.
  Cleared User	User who cleared the incident.
  Count	Number of times this incident has occurred with the same incident source and target criteria.
  Detail	Event attributes that triggered the incident.
  Event Type	Event type associated with this incident. All incidents with the same name have the same Incident Type.
  External Cleared Time	Time when the incident was resolved in an external ticketing system.
  External Resolve Time	Resolution time in an external ticketing system.
  External Ticket ID	ID of a ticket in an external ticketing system such as ServiceNow, ConnectWise, etc.
  External Ticket State	State of a ticket in an external ticketing system.
  External Ticket Type	Type of the external ticketing system (ServiceNow, ConnectWise, Salesforce, Remedy).
  External User	External user assigned to a ticket in an external ticketing system.
  First Occurred	The first time that the incident was triggered.
  Incident	Name of the rule that triggered the incident. Use the drop-down list near the Incident if you must add this incident to filter.
  Incident Comments	Comments added by the user.
  Incident ID	Unique ID of the incident in the Incident database.
  Incident Status	An incident's status can be one of the following:  Active: An ongoing incident. Manually Cleared: Cleared manually by a user - the incident is no longer active. Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition. System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared. Externally Cleared: Cleared in the external ticketing system.
  Incident Title	A system default title or a user-defined title for an incident.
  Last Occurred	The last time when the incident was triggered.
  Notification Recipient	User who was notified about the incident.
  Notification Status	Status of the Notification: Success or Fail.
  Organization	Organization of the reporting device (for Service Provider installations).
  Reporting	Reporting device.
  Reporting IP	IP addresses of the devices reporting the incident.
  Reporting Status	Status of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored.
  Resolution	The resolution for an incident can be: Open (not defined or not known whether the incident is True Positive or False Positive) True Positive, or False Positive When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be True Positive or False Positive, then you must Clear the Incident.
  Severity	Incident Severity is an integer in the range 0-10 (0-4 is set as Low, 5-8 as Medium, and 9-10 as High).
  Severity Category	Incident Severity Category: High, Medium or Low.
  Source	Source IP or host name that triggered the incident.
  Subcategory	Subcategory of the triggered incident. To add custom subcategories to an incident category, see here.
  Target	IP or host name where the incident occurred.
  Ticket ID	ID of the ticket if created in FortiSIEM.
  Ticket Status	Status of any tickets associated with the incident.
  Ticket User	User assigned to a ticket if created in FortiSIEM.
  View Status	Whether the Incident has been Read or Not.

• Events - this displays the set of events that triggered the incident. If an incident involves multiple sub-patterns, select the sub-pattern to see the events belonging to that sub-pattern. For Raw Event Log column, click Show Details from the drop-down to see the parsed fields for that event.
• Rule - this displays the Definition of Rule that Triggered the Incident and the Triggered Event Attributes.

To close the incident details pane, click the highlighted incident.

List by Device View

The upper pane of the List by Device view lists the devices that are experiencing incidents. In the list, the device can be identified by either an IP or a host name. The name of the device is followed by the number of incidents in parentheses. Click the device name to see the incidents associated with the device. The lower portion of the view contains the same features and functionality as the List by Time view.

List by Incident View

The upper pane of the List by Incident view lists the incidents detected by FortiSIEM. The name of the incident is followed by the number of incidents in parentheses. Click the incident name to see the incidents associated with the device. The lower portion of the view contains the same features and functionality as the List by Time view.

Acting on Incidents

The Actions menu provides a list of actions that can be taken on incidents. To see a Location View of the incidents, select Locations from the Actions menu. FortiSIEM has a built in database of locations of public IP addresses. Private IP address locations can be defined in ADMIN > Settings > Discovery > Location.

To change the incident attribute display columns in the List View, select Change Display Columns from the Actions menu, select the desired attributes and click Close.

You can perform the following operations using the Actions menu:

• Changing the Severity of an Incident
• Searching Incidents
• Searching for MITRE ATT&CK Incidents
• Clearing One or More Incidents
• Clearing All Incidents from the Incident View
• Disabling One or More Rules
• Adding or Editing Comments for One or More Incidents
• Exporting One or More Incidents into a PDF or CSV File
• Fine Tuning a Rule Triggering an Incident
• Creating an Exception for the Rule
• Creating Event Dropping Rules
• Creating a Ticket
• Emailing Incidents
• Creating a Remediation Action
• Show Ticket History

Changing the Severity of an Incident

1. Select the incident.
2. Select Change Severity from the Actions menu.
3. Select Change to HIGH, MEDIUM, or LOW.

Searching Incidents

1. Select Search from the Actions menu.
2. In the left pane, click an Incident attribute (for example, Function). All possible values of the selected attribute with a count next to it is shown (for example, Security, Availability and Performance for Function).
3. Select any value (for example, Performance) and the right pane updates with the relevant incidents.
4. Click and select other Incident Attributes to refine the Search or click X to cancel the selection.

Changing the Time Range for the Search

1. Select Search from the Actions menu.
2. Near the top of the left panel, click the time value.
3. Click Relative or Absolute:
   • If you click Relative, adjust the time value in the Last field.
   • If you click Absolute enter a time range. If you select Always Prior, enter a time period prior to the current time.

Saving the Search Criteria

Once you have performed your search, follow these steps to save the search criteria:

1. Click the Save icon ()which appears above the list of incident attributes, and to the right of Search.
2. In the Save Search Filter under by Time as dialog box, enter a name for the filter or accept the default. The default will be a time stamp value such as Search Filters - 12/17/2019 17:04:59.

The filter will appear in the Search() drop-down list, for example:

• When saving a filter based on the List by Time View, it displays in the Search drop-down list.
• When saving a filter based on the List by Device View, it displays in the Search drop-down list.
• When saving a filter based on the List by Incident View, it displays in the Search drop-down list.

Searching for MITRE ATT&CK Incidents

To find incidents that fall into any of the MITRE ATT&CK categories, follow these steps:

1. Select Searchfrom the Actions menu.
2. Click Tactics or Technique in the left pane.

   The total number of security incidents will appear under the selected MITRE ATT&CK category.

3. Select one or more checkboxes next to the categories of interest.

   The incidents associated with the category are displayed.

For more information on MITRE ATT&CK views and MITRE ATT&CK categories, see MITRE ATT&CK View.

Clearing One or More Incidents

1. Search for specific incidents and move them into the right pane.
2. Select the first incident.
3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
4. Select Clear Incident from the Actions menu.
5. Select whether the Resolution is True Positive or False Positive.
6. Enter a Reason for clearing.
7. Click OK.

Clearing All Incidents from the Incident View

You can remove all occurrences of selected incidents from the Incident View. This action can potentially span multiple pages.

1. Search for specific incidents and move them into the right pane.
2. Select Clear All Incidents in View from the Actions menu.
3. Select whether the Resolution is True Positive or False Positive.
4. Enter a Reason for clearing.
5. Click OK.

Disabling One or More Rules

1. Search for specific incidents and move them into the right pane.
2. Select the first incident.
3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
4. Select Disable Rule from the Actions menu.
5. For Service Provider installations, select the Organizations for which to disable the rule.
6. Click OK.

Adding or Editing Comments for One or More Incidents

1. Search for specific incidents and move them into the right pane.
2. Select the first incident.
3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
4. Select Edit Comment from the Actions menu.
5. Enter or edit the comment in the edit box.
6. Click OK.

Exporting One or More Incidents into a PDF or CSV File

1. Search for specific incidents and move them into the right pane.
2. Select the first incident.
3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
4. Select Export from the Actions menu.
5. Enter or edit the comment in the edit box.
6. Select the Output Format and Maximum Rows.
7. Click Generate.
   A file will be downloaded in your browser.

Fine Tuning a Rule Triggering an Incident

1. Select an incident.
2. Select Edit Rule from the Actions menu.
3. In the Edit Rule dialog box, make the required changes.
4. Click OK.

Creating an Exception for the Rule

1. Select an incident.
2. Select Edit Rule Exception from the Actions menu.
3. In the Edit Rule Exception dialog box, make the required changes:
   1. For Service provider deployments, select the Organizations for which the exception will apply.
   2. Select the exception criteria:
      1. For incident attribute based exceptions, select the incident attributes for which rule will not trigger.
      2. For time based exceptions, select the time for which rule will not trigger.
      3. Select AND/OR between the two criteria.
      4. Add Notes.
   3. Click Save.

Creating Event Dropping Rules

Event Dropping Rules may need to be created to prevent an incident from triggering. To create such a rule:

1. Select an incident.
2. Select Event Dropping Rule from the Actions menu.
3. In the Event Dropping Rule dialog box, enter the event dropping criteria:
   1. Organization - For Service provider deployments, select the organizations for which the exception will apply.
   2. Reporting Device - Select the device whose reported events will be dropped.
   3. Event Type - Select the matching event types.
   4. Source IP - Select the matching source IP address in the event.
   5. Destination IP - Select the matching destination IP address in the event.
   6. Action - Choose to drop the events completely or store them in the event database. If you store events, you can select the following actions:
      • Do not trigger rules
      • Drop attributes (Click the edit icon to open the selection window and select the attributes to drop)
   7. Regex filter - Select a regex filter to match the raw event log.
   8. Description - Add a description for the drop rule.
4. Click Save.
   The Rule will be appear in ADMIN > Settings > Event Handling > Dropping.

Creating a Ticket

See Creating a ticket from the INCIDENTS tab.

Emailing Incidents

Incidents can be emailed to one or more recipients. Make sure that Email settings are defined in ADMIN > Settings > System > Email. Note that email notification from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered. To define an automatic notification, create an Incident Notification Policy in ADMIN > Settings > Notification Policy. To email one or more incidents on demand:

1. Search for specific incidents and move them into the right pane.
2. Select the first incident.
3. Press and hold Shift key and select the last incident – all incidents between the first and the last are highlighted.
4. Select Notify via Email from the Actions menu and enter the following information:
   1. Send To – a list of receiver email addresses, separated by commas.
   2. Email template – Choose an email template. You can use the default email template, or create your own in ADMIN > Settings > System > Email > Incident Email Template.

Creating a Remediation Action

Incidents can be mitigated by deploying a mitigation script, for example, blocking an IP in a firewall or disabling a user in Active Directory. Note that this type of incident mitigation from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered.

To define an automatic remediation, create an Incident Notification Policy in ADMIN > Settings > General > Notification Policy. Click New, and in the Notification Policy dialog box, select Run Remediation/Script in the Action section. To create a remediation action:

1. Select an incident.
2. Select Remediate Incident from the Actions menu.
3. Choose the Enforce On devices – the script will run on those devices. Make sure that FortiSIEM has working credentials for these devices defined in ADMIN > Setup > Credentials.
4. Choose the Remediation script from the drop-down menu.
5. Choose the node on which the remediation will Run On from the drop-down list.
6. Click Run. If the user does not have permission to run remediation, a Create New Request window will appear. Take the following actions:
7. In the Approver drop-down list, select an approver. Fortinet recommends selecting all approvers to better ensure a response.
8. In the Type drop-down list, ensure Remediation Request is selected.
9. In the Justification field, enter an explanation why you want to run a remediation.
10. Click Submit. An email with the your request will be sent to all selected approvers. Approvers will receive a pending task notification in the FortiSIEM console, where they can resolve the request.
11. If you receive an email with an approval, repeat steps 1 through 6 before the expiration. If you received a rejection or received approval that has expired, repeat steps 1-10 if you wish to try again.

 

Show Ticket History

1. Select an incident.
2. Select Show Ticket History from the Actions menu.
3. The Ticket History dialog box opens and displays the following information: 

   Field	Description
   Detail:
   Incident ID	The unique ID of the incident in the incident database.
   Due Date	The date by which the ticket should be resolved.
   Escalation Policy	The escalation policy defined for the incident.
   Attachment	The list of files related to the incident.
   Action History:
   Created at	The time when the incident was created.
   Incident Name	The name of the rule that triggered the incident.
   Incident Target	The IP or host name where the incident occurred.
   Incident Detail	The event attributes that triggered the incident.
   Incident ID	The unique ID of the incident in the incident database.