Running a Built-in Search
FortiSIEM provides a number of built-in reports.
Complete these steps to run an built-in report:
- Go to ANALYTICS tab.
- From the folder drop-down list on the left, select Shortcuts or the Reports folder.
- Shortcuts folder contains a few quick reports.
- Reports folder contains the entire collection of built-in reports.
You can search for a specific report in both of these collections by entering keywords in the Search box.
- Select a specific report and click >.
- If you are generating the report from Shortcuts, select whether you want to run the report in the currently selected tab or a new tab.
Note: Running search in the currently selected tab discards the existing results displayed on that tab.
The query will run and display the results.
Note: You can also run the reports from RESOURCES > Reports folder. See here. - Click Apply & Run.
Search can be performed in two modes:
- Real time mode – from current time onwards. This mode runs only built-in searches that have no aggregation (for example, Shortcuts > Raw Messages). Note that every time you re-run this query, the displayed results will change.
- Historical mode – for previous time periods. Any query can be run in this mode. Note that the displayed search results will not change if you re-run this query for Absolute time range.
To run a real-time search
Click the Edit Filters and Time Range edit box.
The filter conditions are displayed for the selected built-in query. See Understanding Search Components.For Time Range, select Real-time.
Click Apply & Run.
- Click the Edit Filters and Time Range edit box.
The filter conditions are displayed for the selected built-in query. See Understanding Search Components.
- For Time,
select Relative or Absolute option.
- For Relative option, the query will run for a duration in the past, starting from current time. Select the value and time scale in (Minutes/Hours/Days).
- For Absolute
option, the query will run for a specific time window in the past. There are two ways to specify
this:
- Using two explicitly defined time epochs.
- Using Always prior option to define time-periods like last 1 week or last 2 months. If you are interested in re-running the same report on a daily basis, then you do not have to change the time period.
- For Event Source, select Online or Archive option.
- For Online option, the query will check the configured online source.
- For Archive option, the query will check the configured archive source.
- For Trend Interval, select Auto, Hourly, Daily, or Weekly. When you include a trend event attribute for a chart, such as Event Receive Hour, Event Receive Daily, or Event Receive Weekly, pick the appropriate configuration so your chart appears correctly.
- Click Apply & Run.