Automated Incident Resolution Recommendation
FortiSIEM provides 2 attributes to record Incident status:
- Incident Resolution: None, True Positive, False Positive
- Incident Status: Active, System Clear and Manually Cleared
When an Incident triggers, Incident Status is set to Active and Incident Resolution is set to None. There are 3 ways an Incident can get resolved:
- If the Incident turns out to be a false positive, then the user can set Incident Resolution to False Positive and Incident Status to Manually Cleared.
- The Incident may clear itself because of a clearing condition in the rule. In that case, Incident Resolution is set to True Positive and Incident Status is set to System Cleared.
- The Incident may be a real issue. In that case, after working through the Issue, the user can set Incident Resolution to True Positive and Incident Status to Manually Cleared.
FortiSIEM uses a Machine Learning Classification algorithm to recommend Incident Resolution. First, it learns the Incident Resolution set by the user for Incidents over the previous 2 days. Then it recommends Incident Resolution for new Incidents as they occur. The algorithm runs daily at midnight (12AM) to cover Incidents over the last 2 days. Recommendation is done as follows:
- Incident Resolution is set to True Positive or False Positive.
- A new Incident attribute called Confidence (between 0 and 100) is set. A high confidence number implying high confidence on the result.
- Incident Comment is updated with the comment "Resolution set by Machine Learning".
Notes:
- Only Incident Resolution is set. Incident Status is not modified.
- The Machine Learning algorithm always runs in the background and cannot be disabled. The algorithm uses a set of Incident attributes as features (including Event Receive Time, Event Type, Reporting Device, Source, Target, Category and MITRE Attack Technique) to make its recommendation.
Copyright © 2024 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
