Incidents and Cases Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

• Changing the Home Country
• Searching Incidents
• Tuning Incidents via Exceptions
• Tuning Incidents via Modifying Rules
• Tuning Incidents via Drop Rules
• Tuning Incidents by Adjusting Thresholds
• Clearing Incidents
• Adding Comments or Remediation Advice to an Incident
• Remediating an Incident
• Notifying an Incident via Email
• Creating New Rules
• Creating a FortiSIEM Ticket
• Creating a Ticket in External Ticketing System

Additional Incident related information: Automated Incident Resolution Recommendation

Changing the Home Country

Many rules and reports use the My Home CMDB Object as defined in RESOURCES > Country Groups > My Home. By default, it is set to United States of America.

For details on changing this, see here.

Searching Incidents

If you want to search for specific incidents, go to INCIDENTS > List > Actions > Search. A Search Windows appears on left. First, select the Time Window of interest. Then by clicking on any of the criteria, you can see the current values. You can select values to see matches incidents in the right pane.

For details about Searching Incidents, see here.

Tuning Incidents via Exceptions

If you do not want a rule to trigger for a specific Incident Attribute, then you can create an exception.

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
3. Highlight the Incident.
4. Click Actions > Edit Rule Exception.
5. Enter the exception criteria – attribute based or time-based.

For details about Tuning Incidents via Exceptions, see here.

Tuning Incidents via Modifying Rules

Sometimes modifying the rule is a better idea than creating exceptions. For example, if you do not want a rule to trigger for DNS Servers, simply modify the rule condition by stating something like “Source IP NOT CONTAIN DNS Server”. To do this:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
3. Highlight the Incident.
4. Click Actions > Edit Rule.
5. Edit the Rule.
   If it is a System Rule, then you must save it as a User Rule. Deactivate the old System Rule and activate the new User Rule.

For details, see here.

Tuning Incidents via Drop Rules

Sometimes the rule can be prevented from triggering by dropping the event from rule considerations. There are two choices - (a) store the event in database but not trigger the rule or (b) drop the event completely.

To do this:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
3. Highlight the Incident.
4. Click Actions > Create Event Dropping Rule.
5. Specify event drop criteria and action. Events can be dropped on certain parsed fields (like Reporting/Source/Destination IP and Regex filter on the content).

For details, see here.

Tuning Incidents by Adjusting Thresholds

Some performance rules are written using global thresholds, for example - the Rule “High Process CPU: Server” uses the global threshold “Process CPU Util Critical Threshold” defined in ADMIN > Device Support > Custom Property.

You have two choices – (a) modify the global threshold or (b) modify the threshold for a specific device or a group of devices. If you change the global threshold, then the threshold will change for all devices.

To modify the global threshold, follow these steps:

1. Go ADMIN > Device Support > Custom Property.
2. Select the property and click Edit.
3. Enter the new value and click Save.

For details, see here.

To modify the threshold for one device, follow these steps:

1. Go to CMDB.
2. Select the device and click Edit.
3. In the Properties tab, enter the new value and click Save.

To modify the threshold for a group of devices, repeat the above step for all devices.

Clearing Incidents

In some cases, the Incident may not be happening anymore as the exception condition was corrected.

 To clear one or more Incidents:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
3. Highlight the Incidents.
4. Click Actions > Clear Incident.
5. Enter Reason and click OK.

For details, see here.

Adding Comments or Remediation Advice to an Incident

To add a comment to an Incident:

1. Go to INCIDENTS > List view.
2. Search the Incident or make sure that Incidents show in the right pane.
3. Highlight the Incidents.
4. Click Actions > Edit Comment.
5. Enter the Comment and click OK.

For details, see here.

Sometimes, it is necessary to add Remediation advice for the recipient of an Incident, so he can take some action to remediate the Incident. This has to be done by editing the Rule.

1. Go to RESOURCES > Rules.
2. Select a Rule and click Edit.
3. Enter Remediation Note text and click Save.

For details, see here.

The Remediation text can be added to the Incident Notification email template.

For details, see here.

Remediating an Incident

You can use the following commands to enable Windows Remote Management (WinRM) and set authentication on the target Windows Servers. See Remediations for information on adding, editing, and deleting a remeditation from the FortiSIEM UI.

In the remediation script:

1. When you initiate the WinRM session, set transport parameter to ssl.
2. Set the server_cert_validation option accordingly. If you do not need to validate the certificate, set to ignore. For example:

   session = winrm.Session(enforceOn, auth = (user, password), transport="ssl", server_cert_validation = "ignore")

In the target Windows server:

Note: You might need to disable Windows Firewall before running remediation.

1. Create the self-signed certificate in the certificate store, for example:

   New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "mySubjectName.lan"

   where Cert:\LocalMachine\My is the location of the certificate store and mySubjectName.lan is the subject alternate name extension of the certificate.

2. Create an HTTPS listener, for example:

   winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Port ="5986";Hostname="{your host name}"; CertificateThumbprint="{CertificateThumbprint}"}'

3. Start the WinRM service and set the service startup type to auto-start. The quickconfig command also configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

   winrm quickconfig -transport:https

4. Validate the WinRM service configuration and Listener.
   1. Check whether basic authentication is allowed, for example:

      winrm get winrm/config/service

   2. Check whether a listener is running, and verify the default ports, for example:

      winrm get winrm/config/listener

Remediation can be done either on an ad hoc basis (for example, user selects an Incident that has already occurred to Remediate) or using a Notification Policy where the system takes the Remediation action when Incident happens. First, make sure the Remediation script for your scenario is defined. Check the existing Remediation scripts in ADMIN > Settings > General > Notification Policy > Remediation settings. If your device is not in the list, add the needed Remediation script.

To set ad hoc remediation:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
3. Highlight the Incident you want to remediate (you can remediate only one Incident at a time)..
4. Click Actions > Remediate Incident.
5. In the Run Remediation dialog box:
   1. Select the script in the Remediation drop-down list that you want to run.
   2. Select the role that the script will run on from the Run On drop-down list.
   3. Open the Enforce On drop-down list to choose which devices the remediation script will run on. In the Run Remediation dialog box, open the Device tree. Select individual devices and shuttle them to the Selections column. (You can choose only individual devices; you cannot choose device groups.)
6. Click Run in the Run Remediation dialog box.

For details, see here.

To set policy-based remediation:

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New.
3. Under Action, click the edit icon next to Run Remediation/Script.
4. In the Notification Policy - Define Script/Remediation dialog box click New.
5. In the dialog box tha topens click either Legacy Script or Remediation:
   • Legacy Script: 
     • Enter the name and path to the script in the Script field.
     • Select the role the script will run on from the Run On drop-down list.
   • Remediation:
     • Select a remediation script from the Script drop-down list.
     • Select the role that the script will run on from the Run On drop-down list.
     • Open the Enforce On drop-down list to choose which devices the remediation script will run on. In theNotification Policy - Define Script/Remediation - Enforce On dialog box, open the Device tree. Select individual devices and shuttle them to the Selections column. (You can choose only individual devices; you cannot choose device groups.)
6. Click Save.

For details, see here.

To see the Notification history of an Incident:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
3. Highlight the Incidents.
4. Click Actions > Show Notification History.

For details, see here.

Notifying an Incident via Email

Notifying an Incident can be done either on ad hoc basis (for example - user selects an Incident that has already occurred to notify) or using a Notification Policy where the system takes the notification action when Incident happens.

First, make sure that Email Server has been properly defined in ADMIN > Settings > Email > Email Settings.

FortiSIEM has a built-in Incident Notification Email template. If you want a different one, please define it under ADMIN > Settings > Email > Incident Email Template.

For details, see here.

To set ad hoc notifications:

1. Go to INCIDENTS > List view.
2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
3. Highlight the Incidents.
4. Click Actions > Notify via Email.
5. Choose Receive Email Address and Email Template.
6. Click Send.

For details, see here.

For Policy based Notification

To send policy-based notifications:

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New.
3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
4. Under Action, click Send Email/SMS to Target Users.
5. Enter Email Address or Users from CMDB.
6. Click Save.

For details, see here.

To see the Notification history of an Incident:

• Go to INCIDENTS > List view.
• Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
• Highlight the Incidents.
• Click Action > Show Notification History

For details, see here.

Creating New Rules

Sometime, you may want to create a new rule from scratch.

For details, see here. For additional Incident related information, see Automated Incident Resolution Recommendation .

Creating a FortiSIEM Ticket

First make sure that:

• Ticket’s assigned user is in CMDB
• Assigned user’s Manager that is going to handle escalation is in CMDB
• A Ticket Escalation Policy is defined

For adding users see Advanced Operations > Creating System users.

For defining ticket escalation policy, see here.

To create a FortiSIEM ticket:

• Go to INCIDENTS > List view.
• Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
• Highlight the Incidents.
• Click Actions > Create Ticket.
• Click Save

Note that you can put multiple Incidents on one ticket or add an Incident to an existing ticket.

For details, see here.

Creating a Ticket in External Ticketing System

First, define an Incident Outbound Integration Policy by visiting ADMIN > Settings > General > External Integration.

For details, see here.

Then set the Incident Outbound Integration Policy in Notification Policy Action:

1. Go to ADMIN > Settings > General > Notification Policy.
2. Click New.
3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
4. Under Action, click Invoke an Integration Policy.
5. Choose the Integration Policy.
6. Click Save.

For details, see here.

To update external ticket state in FortiSIEM:

1. Define an Incident Inbound Integration Policy by visiting ADMIN > Settings > General > External Integration.
2. Select the Policy and click Schedule to run the Incident Inbound Integration Policy.

For details, see here.