System-defined Watch List

FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.

Watch list Description Attribute Type Triggering Rules
Accounts LockedDomain accounts that are locked out frequentlyUser (STRING)Account Locked: Domain
Application IssuesApplications exhibiting issuesHost Name (STRING) IIS Virtual Memory Critical
SQL Server Low Buffer Cache Hit Ratio
SQL Server Low Log Cache Hit Ratio
SQL Server Excessive Deadlock
SQL Server Excessive Page Read/Write
SQL Server Low Free Pages In Buffer Pool
SQL Server Excessive Blocking
Database Server Disk Latency Critical
SQL Server Excessive Full Scan
SQL Server scheduled job failed
High Oracle Table Scan Usage
High Oracle Non-System Table Space Usage
Oracle database not backed up for 1 day
Exchange Server SMTP Queue High
Exchange Server Mailbox Queue High
Exchange Server RPC Request High
Exchange Server RPC Latency High
Oracle DB Low Buffer Cache Hit Ratio
Oracle DB Low Library Cache Hit Ratio
Oracle DB Low Row Cache Hit Ratio
Oracle DB Low Memory Sorts Ratio
Oracle DB Alert Log Error
Excessively Slow Oracle DB Query
Excessively Slow SQL Server DB Query
Excessively Slow MySQL DB Query
Availability IssuesServers, networks or storage devices or Applications that are exhibiting availability issuesHost Name (STRING) Network Device Degraded - Lossy Ping Response
Network Device Down - No Ping Response
Server Degraded - Lossy Ping Response
Server Down - No Ping Response
Server Network Interface Staying Down
Network Device Interface Flapping
Server Network Interface Flapping
Important Process Staying Down
Important Process Down
Auto Service Stopped
Critical network Interface Staying Down
EC2 Instance Down
Storage Port Down
Oracle Database Instance Down
Oracle Listener Port Down
MySQL Database Instance Down
SQL Server Instance Down
Service Staying Down - Slow Response To STM
Service Down - No Response to STM
Service Staying Down - No Response to STM
DNS ViolatorsSources that send excessive DNS traffic or send traffic to unauthorized DNS gatewaysSource IP Excessive End User DNS Queries to Unauthorized DNS servers
Excessive End User DNS Queries
Excessive Denied End User DNS Queries
Excessive Malware Domain Name Queries
Excessive uncommon DNS Queries
Excessive Repeated DNS Queries To The Same Domain
Denied CountriesCountries that are seeing a high volume of denials on the firewallDestination Country (STRING)Excessive Denied Connections From An External Country
Denied PortsPorts that are seeing a high volume of denies on the firewallDestination Port (INT)Excessive Denied Connection To A Port
Environmental IssuesEnvironmental Devices that are exhibiting issuesHost name (String) UPS Battery Metrics Critical
UPS Battery Status Critical
HVAC Temp High
HVAC Temp Low
HVAC Humidity High
HVAC Humidity Low
FPC Voltage THD High
FPC Voltage THD Low
FPC Current THD High
FPC ground current high
NetBoz Module Door Open
NetBotz Camera Motion Detected
Warning APC Trap
Critical APC Trap
Hardware IssuesServers, networks or storage devices that are exhibiting hardware issuesHost Name (String) Network Device Hardware Warning
Network Device Hardware Critical
Server Hardware Warning
Server Hardware Critical
Storage Hardware Warning
Storage Hardware Critical
Warning NetApp Trap
Critical Network Trap
Host ScannersHosts that scan other hostsSource IP Heavy Half-open TCP Host Scan
Heavy Half-open TCP Host Scan On Fixed Port
Heavy TCP Host Scan
Heavy TCP Host Scan On Fixed Port
Heavy UDP Host Scan
Heavy UDP Host Scan On Fixed Port
Heavy ICMP Ping Sweep
Multiple IPS Scans From The Same Src
Mail ViolatorsEnd nodes that send too much mail or send mail to unauthorized gateways  Excessive End User Mail to Unauthorized Gateways
Excessive End User Mail
Malware FoundHosts where malware found by Host IPS /AV based systems and the malware is not remediatedHost Name (String) Virus found but not remediated
Malware found but not remediated
Phishing attack found but not remediated
Rootkit found
Adware process found
Malware LikelyHosts that are likely to have malware - detected by network devices and the determination is not as certain as host based detectionSource IP or Destination IP Excessive Denied Connections From Same Src
Suspicious BotNet Like End host DNS Behavior
Permitted Blacklisted Source
Denied Blacklisted Source
Permitted Blacklisted Destination
Denied Blacklisted Destination
Spam/malicious Mail Attachment found but not remediated
Spyware found but not remediated
DNS Traffic to Malware Domains
Traffic to Emerging Threat Shadow server list
Traffic to Emerging Threat RBN list
Traffic to Emerging Threat Spamhaus list
Traffic to Emerging Threat Dshield list

Permitted traffic from Emerging Threat Shadow server list
Permitted traffic from Emerging Threat RBN list
Permitted traffic from Emerging Threat Spamhaus list
Permitted traffic from Emerging Threat Dshield list

Port ScannersHosts that scan ports on a machineSource IP Heavy Half-open TCP Port Scan: Single Destination
Heavy Half-open TCP Port Scan: Multiple Destinations
Heavy TCP Port Scan: Single Destination
Heavy TCP Port Scan: Multiple Destinations
Heavy UDP Port Scan: Single Destination
Heavy UDP Port Scan: Multiple Destinations
Policy ViolatorsEnd nodes exhibiting behavior that is not acceptable in typical Corporate networksSource IP P2P Traffic detected
IRC Traffic detected
P2P Traffic consuming high network bandwidth
Tunneled Traffic detected
Inappropriate website access
Inappropriate website access - multiple categories
Inappropriate website access - high volume
Inbound clear text password usage
Outbound clear text password usage
Remote desktop from Internet
VNC From Internet
Long lasting VPN session
High throughput VPN session
Outbound Traffic to Public DNS Servers
Resource IssuesServers, networks or storage devices that are exhibiting resource issues: CPU, memory, disk space, disk I/O, network I/O, virtualization resources - either at the system level or application levelHost Name (STRING) High Process CPU: Server
High Process CPU: Network
High Process Memory: Server
High Process Memory: Network
Server CPU Warning
Server CPU Critical
Network CPU Warning
Network CPU Critical
Server Memory Warning
Server Memory Critical
Network Memory Warning
Network Memory Critical
Server Swap Memory Critical
Server Disk space Warning
Server Disk space Critical
Server Disk Latency Warning
Server Disk Latency Critical
Server Intf Util Warning
Server Intf Util Critical
Network Intf Util Warning
Network Intf Util Critical
Network IPS Intf Util Warning
Network IPS Intf Util Critical
Network Intf Error Warning
Network Intf Error Critical
Server Intf Error Warning
Server Intf Error Critical
Virtual Machine CPU Warning
Virtual Machine CPU Critical
Virtual Machine Memory Swapping Warning
Virtual Machine Memory Swapping Critical
ESX CPU Warning
ESX CPU Critical
ESX Memory Warning
ESX Memory Critical
ESX Disk I/O Warning
ESX Disk I/O Critical
ESX Network I/O Warning
ESX Network I/O Critical
Storage CPU Warning
Storage CPU Critical
NFS Disk space Warning
NFS Disk space Critical
NetApp NFS Read/Write Latency Warning
NetApp NFS Read/Write Latency Critical
NetApp CIFS Read/Write Latency Warning
NetApp CIFS Read/Write Latency Critical
NetApp ISCSI Read/Write Latency Warning
NetApp ISCSI Read/Write Latency Critical
NetApp FCP Read/Write Latency Warning
NetApp FCP Read/Write Latency Critical
NetApp Volume Read/Write Latency Warning
NetApp Volume Read/Write Latency Critical
EqualLogic Connection Read/Write Latency Warning
EqualLogic Connection Read/Write Latency Critical
Isilon Protocol Latency Warning
Routing IssuesNetwork devices exhibiting routing related issuesHost Name (STRING) OSPF Neighbor Down
EIGRP Neighbor down
OSPF Neighbor Down
Scanned HostsHosts that are scannedDestination IP Half-open TCP DDOS Attack
TCP DDOS Attack
Excessive Denied Connections to Same Destination
Vulnerable SystemsSystems that have high severity vulnerabilities from scannersHost Name (STRING)Scanner found severe vulnerability
Wireless LAN IssuesWireless nodes triggering violationsMAC Address (String) Rogue or Unsecure AP detected
Wireless Host Blacklisted
Excessive WLAN Exploits
Excessive WLAN Exploits: Same Source