Running a Built-in Search

FortiSIEM provides a number of built-in reports.

Complete these steps to run an built-in report:

  1. Go to ANALYTICS tab.
  2. From the folder drop-down list on the left, select Shortcuts or the Reports folder.
    • Shortcuts folder contains a few quick reports.
    • Reports folder contains the entire collection of built-in reports.
      You can search for a specific report in both of these collections by entering keywords in the Search box.
  3. Select a specific report and click >.
  4. If you are generating the report from Shortcuts, select whether you want to run the report in the currently selected tab or a new tab.
    Note: Running search in the currently selected tab discards the existing results displayed on that tab.
    The query will run and display the results.
    Note: You can also run the reports from RESOURCES > Reports folder. See here.
  5. Click Apply & Run.

Search can be performed in two modes:

  • Real time mode – from current time onwards. This mode runs only built-in searches that have no aggregation (for example, Shortcuts > Raw Messages). Note that every time you re-run this query, the displayed results will change.
  • Historical mode – for previous time periods. Any query can be run in this mode. Note that the displayed search results will not change if you re-run this query for Absolute time range.

To run a real-time search

  1. Click the Edit Filters and Time Range edit box.
    The filter conditions are displayed for the selected built-in query. See Understanding Search Components.

  2. For Time Range, select Real-time.

  3. Click Apply & Run.

 

To run a historical search

  1. Click the Edit Filters and Time Range edit box.

    The filter conditions are displayed for the selected built-in query. See Understanding Search Components.

  2. For Time, select Relative or Absolute option.
    1. For Relative option, the query will run for a duration in the past, starting from current time. Select the value and time scale in (Minutes/Hours/Days).
    2. For Absolute option, the query will run for a specific time window in the past. There are two ways to specify this:
      1. Using two explicitly defined time epochs.
      2. Using Always prior option to define time-periods like last 1 week or last 2 months. If you are interested in re-running the same report on a daily basis, then you do not have to change the time period.
  3. For Event Source, select Online or Archive option.
    1. For Online option, the query will check the configured online source.
    2. For Archive option, the query will check the configured archive source.
  4. For Trend Interval, select Auto, Hourly, Daily, or Weekly. When you include a trend event attribute for a chart, such as Event Receive Hour, Event Receive Daily, or Event Receive Weekly, pick the appropriate configuration so your chart appears correctly.
  5. Click Apply & Run.