Understanding Search Components

To perform a well-defined search, see the following sections:

Specifying Search Filters

Complete these steps to specify search filters:

  1. Click the Edit Filters and Time Range edit box.
  2. Specify a filter condition:
    1. Event Keyword - Enter any related keyword for search.
    2. Event Attribute - Choose an event attribute from the drop-down list or build an expression using the expression builder. Only those event attributes based on the event type will be displayed.
      1. Operator - Choose the operator from the drop-down list.
      2. Value - Enter a value in the edit box, or choose from CMDB, or build an expression using the expression builder, or select from Report.
    3. CMDB Attribute - Select a Target from the drop-down list. In the table, enter the CMDB attributes you want to search on.
      1. Select the Attribute.

      2. Select the Operator--the most common operators are IN and NOT IN.
      3. Click in the Value field and select Select from Report or Select from CMDB.
  3. If more than one filter condition is needed, then click + under Row.
    1. Specify the AND/OR operator under Next.
    2. Specify the next filter condition. When you click in the Attribute field, FortiSIEM will display only those attributes that can be used with the previous attribute.
    3. Apply parenthesis if needed to prioritize filter evaluation by clicking + on the Paren icon.
  4. Note that the rows can be deleted by clicking the - under Row and the parenthesis can be deleted by clicking - under Paren.

Specifying Search Time Window

Complete these steps to specify search filters and time window:

  1. Click the Edit Filters and Time Range edit box.
  2. Specify the time window:
    1. Real-time mode – only from the current time onwards.
    2. Historical mode – for previous time periods that have already occurred. Select Relative or Absolute option.
      • For the Relative option, the query will run for a duration in the past, starting from current time. Choose the time scale (Minutes/Hours/Days) and the quantity.
      • For the Absolute option, the query will run for a specific time window in the past. There are two ways to specify this:
        • Using two explicitly defined time epochs.
        • Using Always prior option to define time-periods such as the previous week or the previous two months. If you are interested in re-running the same report on a daily basis, then you do not have to change the time period.

The ANALYTICS view also provides a list of five time range buttons () which appear to the left of the paginator. They allow you to filter data by the last 15 minutes, 1 hour, 1 day, 7 days, or 30 days.

Specifying Trend Interval

Complete these steps to specify the trend interval.

  1. From the Edit Filters and Time Range edit box, specify the Trend Interval:

    1. Auto - (Default) Query is handled normally.

    2. Hourly - Select this configuration for proper chart display if you want to check the data hourly.

    3. Daily - Select this configuration for proper chart display if you want to check the data daily.

    4. Weekly - Select this configuration for proper chart display if you want to check the data weekly.

Specifying Event Search Source

Complete these steps to specify the event source for search:

  1. Specify the source:

    1. Online - search online only.

    2. Archive - search archive only.

Specifying Aggregations and Display Fields

The following sections describe how to aggregate data using Group By fields and how to apply display conditions.

Specifying Group By and Display Fields

If you want to specify an non-aggregated search (without Group By fields), then complete these steps:

  1. Click the Change Display Fields drop-down list icon () to create a display column.
  2. Under the Group By and Display Fields section, enter an attribute:
    1. For a non-aggregated search, choose the event attribute from the drop-down list. If the attribute is not on the list, then enter a part of the attribute name to see some matches (for example, entering “IP” will display “Source IP” which is not on the list).
  3. Optionally, select the Order of display as ASC (ascending) or DESC (descending) if the search result needs to show the results ordered by this column. Choose this order carefully. If multiple columns have Order specified, then the system will order the column that appears first and then go on to the other columns in order of appearance in the Display Column page.
  4. If you want a column heading to display differently than the attribute, choose the desired name as Display As.
  5. The search results are displayed in the order of the columns. You can alter the position of a column by clicking the Move up and down arrows.

If you want to specify an aggregated search (with Group By fields), then complete these steps:

  1. Click the Change Display Fields drop-down list icon () to create a display column.
  2. Under the Group By and Display Fields section, enter an attribute:
    1. For aggregated search, enter an event attribute or create an expression using the Expression Builder, described below.
  3. Optionally, select the Order of display as ASC (ascending) or DESC (descending) if the search result needs to show the results ordered by this column. Choose this order carefully. If multiple columns have Order specified, then the system will order the column that appears first and then go on to the other columns in order of appearance in the Display Column page.
  4. If you want a column heading to display differently than the attribute, choose the desired name as Display As.
  5. The search results are displayed in the order of the columns. You can alter the position of a column by clicking the Move up and down arrows.

Specifying Display Conditions for Aggregated Search

If you specified an aggregate search with Group By fields, then you can specify certain conditions. Only the events that match these display conditions will be displayed.

In the Display Conditions section of the Group By and Display Fields dialog box :

  1. Choose an Attribute from the drop-down list.
  2. Choose an Operator from the drop-down list.
  3. Enter a Value for the operator.
  4. If you require additional conditions, choose a value from the Next drop-down list and click the + icon under Row.
  5. Click the + or - icons under Paren as needed, to add or remove parentheses on a row.

Saving Group By and Display Fields and Display Conditions

To save Group By and Display Fields and Display conditions, complete these steps:

  1. Click Save in the Group By and Display Fields dialog box to save your configuration as a template.
  2. Choose a Scope from the drop-down list in the Save Group By and Display Fields as: dialog box and enter a name for the template.

Loading Group By and Display Fields and Display Conditions

To load Group By and Display Fields and Display conditions, complete these steps:

  1. Click Load in the Group By and Display Fields dialog box if you want to see a list of display fields that can be added to the template. The list can contain system- and user-defined display fields. 
  2. Click an item in the list, then click Load. The Group By and Display Fields dialog box closes and you will see the selected item in the list of Attributes in the Group By and Display Fields section.

Specifying Organizations for a Service Provider Deployment

To specify Organizations in a Service Provider deployment, select the organizations from the Selection Organizations drop-down icon ().

Run Multiple Searches Simultaneously

To run multiple real-time or historical searches simultaneously, follow these steps:

  1. Click the Edit Filters and Time Range edit box.
  2. Define the parameters required for the search. See Understanding Search Components.
  3. Start the search.
  4. Click the + button next to the search tab to define another search.
  5. Define, then start, another real-time or historical search.

The additional search will appear as a tab next to the + button.

Note: real-time searches will pause as you switch between tabs.

Examples of Operators in Expressions

Operator Argument Example
COUNT Matched Events COUNT (Matched Events)
COUNT DISTINCT Any non-numerical attribute that is not unique COUNT DISTINCT (Host Name)
AVG, MAX, MIN, SUM, Pctile95, PctChange Numerical attribute AVG (CPU Util), MAX (CPU Util), MIN (CPU Util)
LAST, FIRST Numerical attribute LAST (System Uptime), FIRST (System Uptime)
HourOfDay, DayOfWeek Time attribute HourOfDay(Event Receive Time), DayOfWeek (Event Receive Time)
DeviceToCMDBAttr Host name/IP DeviceToCMDBAttr (Reporting IP : County/Region )

Examples of Expressions

Operators with arguments can be combined with +, -, / and * with parenthesis to form an expression. For a good example, see the built in report “Top Devices By System Uptime Pct” which computes the System Uptime percentage using the expression

100 – (100*SUM(System Down Time)/SUM(Polling Interval)).

Examples of Various Searches

  • Non-aggregate search – see Shortcut > Raw Messages.
  • Aggregate search:
    1. Basic – one attribute and one counting expression - Shortcut > Top Event Types.
    2. Intermediate – three attributes and one counting expression - Shortcut > Top Reporting Devices and Event Types
    3. Advanced – multiple attributes and complex expressions including Device to CMDB attributes:
      1. Reports > Function > Performance > Top Network Interfaces By Util
      2. Reports > Function > Availability > Top Devices By Business Hours Network Ping Uptime Pct
      3. Reports > Incidents By Location and Category