Understanding Search Components
To perform a well-defined search, see the following sections:
- Specifying Search Filters – this specifies which data will be included in the Search.
- Specifying Search Time Window – only events that have been received by FortiSIEM within this time window will be part of the search.
- Specifying Trend Interval - specifies events that occur hourly, daily or weekly in trend charts.
- Specifying Event Search Source - only the selected source will be searched.
- Specifying Aggregations and Display Fields – this specifies how the data will be grouped and which fields will be displayed in the search result.
- Specifying Organizations for a Service Provider Deployment – only events belonging to this organization will be included in the Search.
- Run Multiple Searches Simultaneously – multiple real-time or historical searches can run simultaneously.
- Examples of Operators in Expressions
Specifying Search Filters
Complete these steps to specify search filters:
- Click the Edit Filters and Time Range edit box.
- Specify a filter condition:
- Event Keyword - Enter any related keyword for search.
- Event Attribute - Choose an event attribute from the drop-down list or build an expression using the expression builder.
Only those event attributes based on the event type will be displayed.
- Operator - Choose the operator from the drop-down list.
- Value - Enter a value in the edit box, or choose from CMDB, or build an expression using the expression builder, or select from Report.
- CMDB Attribute - Select a Target from the drop-down list. In the table, enter the CMDB attributes you want to search on.
- If more than one filter
condition is needed, then click + under Row.
- Specify the AND/OR operator under Next.
- Specify the next filter condition. When you click in the Attribute field, FortiSIEM will display only those attributes that can be used with the previous attribute.
- Apply parenthesis if needed to prioritize filter evaluation by clicking + on the Paren icon.
Note that the rows can be deleted by clicking the - under Row and the parenthesis can be deleted by clicking - under Paren.
Specifying Search Time Window
Complete these steps to specify search filters and time window:
- Click the Edit Filters and Time Range edit box.
- Specify the time window:
- Real-time mode – only from the current time onwards.
- Historical mode – for previous time periods that have already occurred. Select Relative or Absolute option.
- For the Relative option, the query will run for a duration in the past, starting from current time. Choose the time scale (Minutes/Hours/Days) and the quantity.
- For the Absolute option, the query will run for a specific time window in the past. There are two ways to specify this:
- Using two explicitly defined time epochs.
- Using Always prior option to define time-periods such as the previous week or the previous two months. If you are interested in re-running the same report on a daily basis, then you do not have to change the time period.
The ANALYTICS view also provides a list of five time range buttons () which appear to the left of the paginator. They allow you to filter data by the last 15 minutes, 1 hour, 1 day, 7 days, or 30 days.
Specifying Trend Interval
Complete these steps to specify the trend interval.
-
From the Edit Filters and Time Range edit box, specify the Trend Interval:
-
Auto - (Default) Query is handled normally.
-
Hourly - Select this configuration for proper chart display if you want to check the data hourly.
-
Daily - Select this configuration for proper chart display if you want to check the data daily.
-
Weekly - Select this configuration for proper chart display if you want to check the data weekly.
-
Specifying Event Search Source
Complete these steps to specify the event source for search:
-
Specify the source:
-
Online - search online only.
-
Archive - search archive only.
-
Specifying Aggregations and Display Fields
The following sections describe how to aggregate data using Group By fields and how to apply display conditions.
- Specifying Group By and Display Fields
- Specifying Display Conditions for Aggregated Search
- Saving Group By and Display Fields and Display Conditions
- Loading Group By and Display Fields and Display Conditions
Specifying Group By and Display Fields
If you want to specify an non-aggregated search (without Group By fields), then complete these steps:
- Click the Change Display Fields drop-down list icon () to create a display column.
- Under the Group By and Display Fields section, enter an attribute:
- For a non-aggregated search, choose the event attribute from the drop-down list. If the attribute is not on the list, then enter a part of the attribute name to see some matches (for example, entering “IP” will display “Source IP” which is not on the list).
- Optionally, select the Order of display as ASC (ascending) or DESC (descending) if the search result needs to show the results ordered by this column. Choose this order carefully. If multiple columns have Order specified, then the system will order the column that appears first and then go on to the other columns in order of appearance in the Display Column page.
- If you want a column heading to display differently than the attribute, choose the desired name as Display As.
- The search results are displayed in the order of the columns. You can alter the position of a column by clicking the Move up and down arrows.
If you want to specify an aggregated search (with Group By fields), then complete these steps:
- Click the Change Display Fields drop-down list icon () to create a display column.
- Under the Group By and Display Fields section, enter an attribute:
- For aggregated search, enter an event attribute or create an expression using the Expression Builder, described below.
- Optionally, select the Order of display as ASC (ascending) or DESC (descending) if the search result needs to show the results ordered by this column. Choose this order carefully. If multiple columns have Order specified, then the system will order the column that appears first and then go on to the other columns in order of appearance in the Display Column page.
- If you want a column heading to display differently than the attribute, choose the desired name as Display As.
- The search results are displayed in the order of the columns. You can alter the position of a column by clicking the Move up and down arrows.
Specifying Display Conditions for Aggregated Search
If you specified an aggregate search with Group By fields, then you can specify certain conditions. Only the events that match these display conditions will be displayed.
In the Display Conditions section of the Group By and Display Fields dialog box :
- Choose an Attribute from the drop-down list.
- Choose an Operator from the drop-down list.
- Enter a Value for the operator.
- If you require additional conditions, choose a value from the Next drop-down list and click the + icon under Row.
- Click the + or - icons under Paren as needed, to add or remove parentheses on a row.
Saving Group By and Display Fields and Display Conditions
To save Group By and Display Fields and Display conditions, complete these steps:
- Click Save in the Group By and Display Fields dialog box to save your configuration as a template.
- Choose a Scope from the drop-down list in the Save Group By and Display Fields as: dialog box and enter a name for the template.
Loading Group By and Display Fields and Display Conditions
To load Group By and Display Fields and Display conditions, complete these steps:
- Click Load in the Group By and Display Fields dialog box if you want to see a list of display fields that can be added to the template. The list can contain system- and user-defined display fields.
- Click an item in the list, then click Load. The Group By and Display Fields dialog box closes and you will see the selected item in the list of Attributes in the Group By and Display Fields section.
Specifying Organizations for a Service Provider Deployment
To specify Organizations in a Service Provider deployment, select the organizations from the Selection Organizations drop-down icon ().
Run Multiple Searches Simultaneously
To run multiple real-time or historical searches simultaneously, follow these steps:
- Click the Edit Filters and Time Range edit box.
- Define the parameters required for the search. See Understanding Search Components.
- Start the search.
- Click the + button next to the search tab to define another search.
- Define, then start, another real-time or historical search.
The additional search will appear as a tab next to the + button.
Note: real-time searches will pause as you switch between tabs.
Examples of Operators in Expressions
Operator | Argument | Example |
---|---|---|
COUNT | Matched Events | COUNT (Matched Events) |
COUNT DISTINCT | Any non-numerical attribute that is not unique | COUNT DISTINCT (Host Name) |
AVG, MAX, MIN, SUM, Pctile95, PctChange | Numerical attribute | AVG (CPU Util), MAX (CPU Util), MIN (CPU Util) |
LAST, FIRST | Numerical attribute | LAST (System Uptime), FIRST (System Uptime) |
HourOfDay, DayOfWeek | Time attribute | HourOfDay(Event Receive Time), DayOfWeek (Event Receive Time) |
DeviceToCMDBAttr | Host name/IP | DeviceToCMDBAttr (Reporting IP : County/Region ) |
Examples of Expressions
Operators with arguments can be combined with +, -, / and * with parenthesis to form an expression. For a good example, see the built in report “Top Devices By System Uptime Pct” which computes the System Uptime percentage using the expression
100 – (100*SUM(System Down Time)/SUM(Polling Interval)).
Examples of Various Searches
- Non-aggregate search – see Shortcut > Raw Messages.
- Aggregate search:
- Basic – one attribute and one counting expression - Shortcut > Top Event Types.
- Intermediate – three attributes and one counting expression - Shortcut > Top Reporting Devices and Event Types
- Advanced – multiple attributes and complex expressions including Device to CMDB attributes:
- Reports > Function > Performance > Top Network Interfaces By Util
- Reports > Function > Availability > Top Devices By Business Hours Network Ping Uptime Pct
- Reports > Incidents By Location and Category