List View

This tabular view enables the user to search incidents and take actions.

Additional Incident related information: Automated Incident Resolution Recommendation

Viewing Incidents

To see this view, click INCIDENTS in the FortiSIEM header. By default, an Incidents Overview dashboard appears, that displays the following information: Incidents by Category, Top Incidents, and Top Impacted Hosts - by Severity/Risk Score. To access List View, which offers Listing by Time, Device, and Incident, click the List drop-down button, and select a list view.

The INCIDENTS "List by" views allow you to filter data by device and by incident.

You can set any of the INCIDENTS views as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list. You can filter the INCIDENTS view further by choosing Overview, List – by Time, List – by Device, or List – by Incident from the Incident Home drop-down list.

An incident's status can be one of the following: 

  • Active: An ongoing incident.
  • Manually Cleared: Cleared manually by a user - the incident is no longer active.
  • Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition.
  • System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared.
  • Externally Cleared: Cleared in the external ticketing system.

The resolution for an incident can be:

  • Open
  • In-progress
  • True Positive, or
  • False Positive

When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be False Positive, then you must Clear the Incident.

The following sections describe the three views that are available through the INCIDENTS view:

List by Time View

The List by Time view displays a table of the incidents which have been active in the last 2 hours. Additionally, above the table, "buttons" for the number of incidents, number of new incidents that have occurred, number of assigned incidents, and number of incident notifications that have occurred in the last 2 hours appears, and any of these "buttons" can be clicked to display a filtered incident table. The Last Occurred column contains the incidents sorted by time, with the most recent first. By default, the view refreshes automatically every minute. The refresh menu on the top bar allows the user to disable automatic refresh or choose a different refresh interval.

Unique to the List by Time view is a list of five time range buttons () which appear above the paginator. They allow you to filter data by the last 15 minutes, 1 hour, 1 day, 7 days, or 30 days.

See the following table for information on the attributes shown for each incident. A caret will appear when you hover the cursor over some attributes for additional actions:

Attribute

Description
Severity High (Red), MEDIUM (Orange), or LOW (Green).
ID
  • Incident's identification number.
    		•
    Last Occurred
  • Last time this incident occurred.
    		•
    Incident
  • Name of the incident. Click the caret icon for the following options:
    • Incident Details - Click to get more details on the incident.
    • Add to Filter - Click to add to filtered list.
    Tactics
  • Name of the tactic involved with the incident.
    		•
    Technique

    Name of the technique involved with the incident. Click the caret icon for the following option:

    • Details - Click to get more Tactics and Technique information.
    Reporting
  • Set of devices that is reporting the incident. Click the caret icon for the following options:
    • Quick info - Click to get information on the reporting device.
    • Device Health - Click to get more device health information.
    • Vulnerabilities - Click to view device vulnerability timeline.
    • Related Real-time Events - Click to check real-time events for the device.
    • Related Historical Events - Click to get older events for the device.
    • Real-time Performance - Click to get performance metrics.
    • Add to Filter - Click to add to filtered list.
    • Add to WatchList - Add IP address/host name to Watch List(s).

    Source
  • Source of the incident (host name or IP address). Click the caret icon for the following options:
    • Quick info - Click to get information on the reporting device.
    • Device Health - Click to get more device health information.
    • Vulnerabilities - Click to view device vulnerability timeline.
    • Check Reputation - Click to check the source's reputation.
    • Related Real-time Events - Click to check real-time events for the device.
    • Related Historical Events - Click to get older events for the device.
    • Real-time Performance - Click to get performance metrics.
    • Add to Filter - Click to add to filtered list.
    • Add to WatchList - Add IP address/host name to Watch List(s).
    • Add to Application Group - Associate IP address with application group. See Working with Application Groups for more information.

    Target

    Target of the incident (host name or IP address or user). Click the caret icon for the following options:

    • Quick info - Click to get information on the reporting device.
    • Device Health - Click to get more device health information.
    • Vulnerabilities - Click to view device vulnerability timeline.
    • Check Reputation - Click to check the target's reputation.
    • Related Real-time Events - Click to check real-time events for the device.
    • Related Historical Events - Click to get older events for the device.
    • Real-time Performance - Click to get performance metrics.
    • Add to Filter - Click to add to filtered list.
    • Add to WatchList - Add IP address/host name/user to Watch List(s).
    • Add to Application Group - Associate IP address with application group. See Working with Application Groups for more information.
    Detail

    Other incident details, for example, Counts, Average CPU utilization, file name, and so on. Click the caret icon for the following option:

    • Check Reputation - Click to check the reputation based of the detail information.

    Status

    An incident's status can be one of the following:

    • Active: An ongoing incident.

    • Manually Cleared: Cleared manually by a user - the incident is no longer active.

    • Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition.
    • System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared.

    • Externally Cleared: Cleared in the external ticketing system.

    Resolution

    Current state of the incident. Click the caret icon for the following options:

    • Set Resolution to In Progress - Change the incident resolution to "In Progress".
    • Set Resolution to True Positive - Change the incident resolution to "True Positive".
    • Clear and set Resolution to False Positive - Change the incident to "False Positive".

    Biz Service

    Name of the business services affected by this incident

    Case ID

    The case ID associated with the incident. Click the ID to go to the Cases page.

    Category

    Category of incidents triggered (Availability, Change, Performance, Security and Other).

    Cleared Reason

    Reason for clearing the incident if it was cleared.

    Cleared Time

    Time at which the incident was cleared.

    Cleared User

    User who cleared the incident.

    Confidence

    The confidence level of a threat.

    Count

    Number of times the incident triggered between the first and last seen times

    Event Type

    Event type associated with this incident. All incidents with the same name have the same Incident Type.

    External Cleared Time

    Time when the incident was resolved in an external ticketing system.

    External Ticket ID

    ID of a ticket in an external ticketing system such as ServiceNow, ConnectWise, etc.

    External Ticket State

    State of a ticket in an external ticketing system.

    External Ticket Type

    Type of the external ticketing system (ServiceNow, ConnectWise, Salesforce, Remedy).

    External User

    External user assigned to a ticket in an external ticketing system.

    First Occurred

    The first time that the incident was triggered.

    Incident Comments

    Comments made on an incident.

    Incident Title

    The incident title - This typically displays more information than the "Incident" attribute.

    • Click the caret icon for the following options:
      • Incident Details - Click to get more details on the incident.
      • Add to Filter - Click to add to filtered list.

    Notification Recipients

    Incident Notification recipients

    Notification Status

    Incident Notification Status

    Organization

    Organization of the reporting device (for Service Provider installations).

    Reporting Device Status

    Status of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored.

    Reporting IP

    IP addresses of the devices reporting the incident.

    Subcategory

    Subcategory of the triggered incident. To add custom subcategories to an incident category, see here.

    Tag

    Name of the tag involved with the rule that triggered the incident.

    View Status

    Whether the Incident has been Read or Not.

     

    To see the incident details, click the incident. Next, hover your cursor over the incident name, click the caret icon, and select Incident Details:

    • Incident Details - Includes the full list of incident attributes in a separate pane.

      Column Description
      Incident IDUnique ID of the incident in the Incident database.
      Incident TitleA system default title or a user-defined title for an incident.
      Rule NameRule involved with Incident.
      Event TypeEvent type associated with this incident. All incidents with the same name have the same Incident Type.
      Severity CategoryIncident Severity Category: High, Medium or Low.
      First OccurredThe first time that the incident was triggered.
      Last OccurredThe last time when the incident was triggered.
      CategoryCategory of incidents triggered.
      SubcategorySubcategory of the triggered incident. To add custom subcategories to an incident category, see here.
      TacticsName of the tactics involved with the incident.
      TechniqueName of the technique involved with the incident.
      Organization Organization of the reporting device (for Service Provider installations).
      Reporting Reporting device.
      Reporting IPIP addresses of the devices reporting the incident.
      Reporting Device StatusStatus of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored.
      TargetTarget of the incident (host name or IP address or user).
      DetailEvent attributes that triggered the incident.
      Count Number of times this incident has occurred with the same incident source and target criteria.
      ResolutionThe resolution for an incident can be:
      • Open (not defined or not known whether the incident is True Positive or False Positive)
      • True Positive, or
      • False Positive

      When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be True Positive or False Positive, then you must Clear the Incident.

      Case IDThe Case ID for the case associated with the incident. Click the Case ID link to go to the Cases page for the selected case.
      View Status Whether the Incident has been Read or Not.

    • Threat - This displays threat related information, which includes FortiGuard IP Geolocation, Whois, and Watchlists information. It also provides FortiGuard and Virus Total analysis, if configured.

    • Triggering Events - This displays the set of events that triggered the incident. If an incident involves multiple sub-patterns, select the sub-pattern to see the events belonging to that sub-pattern. When an event is selected, raw message and parsed fields for that event is displayed. A "Copy to clipboard" icon is available to copy the raw message, and the FortiAI icon can be clicked to provide an analysis and recommended action.
    • Rule Summary - This displays the Definition of Rule that Triggered the Incident and the Triggered Event Attributes.
    • Comments - Information about the incident is provided.
    • Context - Displays contextual incident information.
    • Action History - Displays the action history for the incident.

    To close the incident details pane, click the highlighted incident, or click X in the upper right corner of the pane itself.

    List by Device View

    The upper pane of the List by Device view lists the devices that are experiencing incidents. In the list, the device can be identified by either an IP or a host name. The name of the device is followed by the organization name and the number of incidents. Click the device name to see the incidents associated with the device. This view contains the same features and functionality as the List by Time view.

    List by Incident View

    The upper pane of the List by Incident view lists the incidents detected by FortiSIEM. The name of the incident is followed by the number of incidents. Click the incident name to see the incidents associated with the device. This view contains the same features and functionality as the List by Time view.

    Acting on Incidents

    The Actions menu provides a list of actions that can be taken on incidents.

    To change the incident attribute display columns in the List View, select the Columns drop-down list and check/uncheck the desired attributes to display. When done, click the Columns drop-down button again.

    Location View

    To see a Location View of the incidents, select the Show locations (Pin) icon, located in the Incident Title row. From the Select Column to Plot drop-down list, select Incident Source or Incident Target to plot the appropriate geographical location. FortiSIEM has a built in database of locations of public IP addresses. Private IP address locations can be defined in ADMIN > Settings > Discovery > Location.

    Note: This feature requires Google Maps API Key to be configured, under Admin > Settings > System > UI.

    Clearing Incidents

    To clear one or more incidents, select the incidents you wish to clear, or do not select any incidents if you wish to clear them all, select Clear Incident or Clear All Incidents in View from the Actions menu. In the Resolution field, you will be prompted to select True Positive or False Positive for the affected incidents, and a Reason field is available to provide an explanation for clearing the incidents chosen.

    Note:

    • To select a range of incidents, hold down the Shift key, select an incident, then select the last incident you wish to include in the range as part of your selected incidents.
    • To select specific incidents, hold down the Ctrl key, and click each incident that you wish to include.

    Actions

    You can perform the following operations using the Actions menu:

    Changing the Severity of an Incident

    1. Select the incident.
    2. Select Change Severity from the Actions menu.
    3. Select Change to HIGH, MEDIUM, or LOW.

    Clearing One or More Incidents

    1. Search for specific incidents and move them into the right pane.
    2. Select the first incident.
    3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
    4. Select Clear Incident from the Actions menu.
    5. Select whether the Resolution is True Positive or False Positive.
    6. Enter a Reason for clearing.
    7. Click OK.

    Disabling One or More Rules

    1. Search for specific incidents and move them into the right pane.
    2. Select the first incident.
    3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
    4. Select Disable Rule from the Actions menu.
    5. For Service Provider installations, select the Organizations for which to disable the rule.
    6. Click Save.

    Exporting One or More Incidents into a PDF or CSV File

    1. Search for specific incidents and move them into the right pane.
    2. Select the first incident.
    3. Press and hold the Shift key and select the last incident – all incidents between the first and the last are highlighted.
    4. Select Export from the Actions menu.
    5. Enter or edit the comment in the edit box.
    6. Select the Output Format and Maximum Rows.
    7. Click Generate.
      A file will be downloaded in your browser.

    Fine Tuning a Rule Triggering an Incident

    1. Select an incident.
    2. Select Edit Rule from the Actions menu.
    3. In the Edit Rule dialog box, make the required changes.
    4. Click OK.

    Creating an Exception for the Rule

    1. Select an incident.
    2. Select Edit Rule Exception from the Actions menu.
    3. In the Edit Rule Exception dialog box, make the required changes:
      1. For Service provider deployments, select the Organizations for which the exception will apply.
      2. Select the exception criteria:
        1. For incident attribute based exceptions, select the incident attributes for which rule will not trigger.
        2. For time based exceptions, select the time for which rule will not trigger.
        3. Select AND/OR between the two criteria.
        4. Add Notes.
      3. Click Save.

    Creating Event Dropping Rules

    Event Dropping Rules may need to be created to prevent an incident from triggering. To create such a rule:

    1. Select an incident.
    2. Select Event Dropping Rule from the Actions menu.
    3. In the Event Dropping Rule dialog box, enter the event dropping criteria:
      1. Organization - For Service provider deployments, select the organizations for which the exception will apply.
      2. Reporting Device - Select the device whose reported events will be dropped.
      3. Event Type - Select the matching event types.
      4. Source IP - Select the matching source IP address in the event.
      5. Destination IP - Select the matching destination IP address in the event.
      6. Action - Choose to drop the events completely or store them in the event database. If you store events, you can select the following actions:
        • Do not trigger rules
        • Drop attributes (Click the edit icon to open the selection window and select the attributes to drop)
      7. Regex filter - Select a regex filter to match the raw event log.
      8. Description - Add a description for the drop rule.
    4. Click Save.
      The Rule will be appear in ADMIN > Settings > Event Handling > Dropping.

    Creating a Case

    See Creating a Case from the INCIDENTS tab.

    Emailing Incidents

    Incidents can be emailed to one or more recipients. Make sure that Email settings are defined in ADMIN > Settings > System > Email. Note that email notification from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered. To define an automatic notification, create an Incident Automation Policy in ADMIN > Settings > Automation Policy. To email one or more incidents on demand:

    1. Search for specific incidents and move them into the right pane.
    2. Select the first incident.
    3. Press and hold Shift key and select the last incident – all incidents between the first and the last are highlighted.
    4. Select Notify via Email from the Actions menu and enter the following information:
      1. Send To – a list of receiver email addresses, separated by commas.
      2. Email template – Choose an email template. You can use the default email template, or create your own in ADMIN > Settings > System > Email > Incident Email Template.

    Creating a Remediation Action

    Incidents can be mitigated by deploying a mitigation script, for example, blocking an IP in a firewall or disabling a user in Active Directory. Note that this type of incident mitigation from the Incident page is somewhat ad hoc and must be manually setup by the user after the incident has triggered.

    To define an automatic remediation, create an Incident Automation Policy in ADMIN > Settings > General > Automation Policy. Click New, and in the Automation Policy dialog box, select Run Remediation/Script in the Action section. To create a remediation action:

    1. Select an incident.
    2. Select Remediate Incident from the Actions menu.
    3. Choose the Enforce On devices – the script will run on those devices. Make sure that FortiSIEM has working credentials for these devices defined in ADMIN > Setup > Credentials.
    4. Choose the Remediation script from the drop-down menu.
      Note: Some Remediation scripts, such as FortiGate/Forti iOS version 7.0 and higher require a VDOM. Enter a Virtual Domain (VDOM) in the VDOM field for these particular scripts. Be aware that this field is case sensitive, so the VDOM must be entered exactly as it is named.
    5. Choose the node on which the remediation will Run On from the drop-down list.
    6. Click Run. If the user does not have permission to run remediation, a Create New Request window will appear. Take the following actions:
    7. In the Approver drop-down list, select an approver. Fortinet recommends selecting all approvers to better ensure a response.
    8. In the Type drop-down list, ensure Remediation Request is selected.
    9. In the Justification field, enter an explanation why you want to run a remediation.
    10. Click Submit. An email with the your request will be sent to all selected approvers. Approvers will receive a pending task notification in the FortiSIEM console, where they can resolve the request.
    11. If you receive an email with an approval, repeat steps 1 through 6 before the expiration. If you received a rejection or received approval that has expired, repeat steps 1-10 if you wish to try again.

    Resolve Incident

    You can directly resolve an incident by taking the following actions.

    1. Select the incident.
    2. From the Actions drop-down list, select Resolve Incident.
    3. Select the resolution (Open, In Progress, True Positive, False Positive).
    4. Click OK.

    Check Reputation

    FortiSIEM utilizes an external integration policy to perform a reputation check on incidents.

    To create an external integration policy, navigate to ADMIN > Settings > General > External Integration. Click New to begin creating an external integration. For more information, see Configuring External Integration.

    To perform a reputation check, take the following steps:

    1. Select an incident (or event from Analytics).
    2. Select Check Reputation from the Actions/‚ menu.

    A Check Reputation sidebar will appear with reputation related information.

    Note: For incidents, you can add comments by selecting Add Results to Comment from the Actions drop-down list.

    Show Case History

    Note: Prior to FortiSIEM 7.0.0, this was Show Ticket History.

    1. Select an incident.
    2. Select Show Case History from the Actions menu.
    3. The Ticket History dialog box opens and displays the following information: 
      FieldDescription
      Detail:
      Incident IDThe unique ID of the incident in the incident database.
      Due DateThe date by which the ticket should be resolved.
      Escalation Policy The escalation policy defined for the incident.
      Attachment The list of files related to the incident.
        
      Action History: 
      Created at The time when the incident was created.
      Incident Name The name of the rule that triggered the incident.
      Incident Target The IP or host name where the incident occurred.
      Incident Detail The event attributes that triggered the incident.
      Incident IDThe unique ID of the incident in the incident database.

    Investigate

    1. Select an incident.
    2. Select Investigate from the Actions menu.

    You will be taken the Analytics > Investigation page. See Investigating Incidents.

    Searching Incidents

    Searching Incidents

    1. Select Search by clicking the Search icon.
    2. In the left pane, click an Incident attribute (for example, Category). All possible values of the selected attribute with a count next to it is shown (for example, Security, Availability and Performance for Function).
    3. Select any value (for example, Performance) and the right pane updates with the relevant incidents.
    4. Click and select other Incident Attributes to refine the Search or click the Trash icon to cancel the selection.

    Changing the Time Range for the Search

    1. Select Search by clicking the Search icon.
    2. Near the top of the left panel, click the time value.
    3. Click Relative or Absolute:
      • If you click Relative, adjust the time value in the Last field.
      • If you click Absolute enter a time range. If you select Always Prior, enter a time period prior to the current time.

    Saving the Search Criteria

    Once you have performed your search, follow these steps to save the search criteria:

    1. Click the Save icon ()which appears above the list of incident attributes, and to the right of Search.
    2. In the Save Search Filter under by Time as dialog box, enter a name for the filter or accept the default. The default will be a time stamp value such as Search Filters - 12/17/2019 17:04:59.

    The filter will appear in the Search () drop-down list, for example:

    • When saving a filter based on the List by Time View, it displays in the Search drop-down list.
    • When saving a filter based on the List by Device View, it displays in the Search drop-down list.
    • When saving a filter based on the List by Incident View, it displays in the Search drop-down list.

    Searching for MITRE ATT&CK Incidents

    To find incidents that fall into any of the MITRE ATT&CK categories, follow these steps:

    1. Select Search by clicking the Search icon.
    2. Click Tactics or Technique in the left pane.
      The total number of security incidents will appear under the selected MITRE ATT&CK category.
    3. Select one or more checkboxes next to the categories of interest.
      The incidents associated with the category are displayed.

    For more information on MITRE ATT&CK views and MITRE ATT&CK categories, see MITRE ATT&CK View.