PH_Rule_Stat_10
Enabled
Detects anomaly in interface errors seen on a router/switch port. Over a 30 minute window, either the total inbound or outbound interface errored packets or discarded packets is more than 2 standard deviations away from the mean. To detect significant issues, the average packet error or discarded packet error is more than 1 percent.
7
Performance
Interface
No Technique Specified
Network
FortiSIEM Profiling
Profiling
Identify the root cause of network errors. May be the interface card has some issue or MTU or other L1 configuration has issues.
If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.
1800 seconds
If the following defined pattern/s occur within a 1800 second time window.
NetIntfError
This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
eventType IN ("PH_DEV_MON_NET_INTF_UTIL","PH_DEV_MON_FORTIGATE_INTF_UTIL","PH_DEV_MON_FORTIAP_INTF_UTIL")
This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
hostName,hostIpAddr,intfName
This is most typically a numerical constraint that defines when the rule should trigger an incident
(AVG(inIntfPktErrPct) >= 1.0 AND STAT_AVG(SUM(inIntfPktErr):111) > 0 AND SUM(inIntfPktErr) >= 2.0 * STAT_AVG(SUM(inIntfPktErr):111)) OR
(AVG(outIntfPktErrPct) >= 1.0 AND STAT_AVG(SUM(outIntfPktErr):111) > 0 AND SUM(outIntfPktErr) >= 2.0 * STAT_AVG(SUM(outIntfPktErr):111)) OR
(AVG(inIntfPktDiscardedPct) >= 1.0 AND STAT_AVG(SUM(inIntfPktDiscarded):111) > 0 AND SUM(inIntfPktDiscarded) >= 2.0 * STAT_AVG(SUM(inIntfPktDiscarded):111)) OR
(AVG(outIntfPktDiscardedPct) >= 1.0 AND STAT_AVG(SUM(outIntfPktDiscarded):111) > 0 AND SUM(outIntfPktDiscarded) >= 2.0 * STAT_AVG(SUM(outIntfPktDiscarded):111))
This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.
The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern
hostName = NetIntfError.hostName,
hostIpAddr = NetIntfError.hostIpAddr,
intfName = NetIntfError.intfName,
inIntfPktErr = NetIntfError.SUM(inIntfPktErr),
outIntfPktErr = NetIntfError.SUM(outIntfPktErr),
inIntfPktDiscarded = NetIntfError.SUM(inIntfPktDiscarded),
outIntfPktDiscarded = NetIntfError.SUM(outIntfPktDiscarded),
inIntfPktErrPct = NetIntfError.AVG(inIntfPktErrPct),
outIntfPktErrPct = NetIntfError.AVG(outIntfPktErrPct),
inIntfPktDiscardedPct = NetIntfError.AVG(inIntfPktDiscardedPct),
outIntfPktDiscardedPct = NetIntfError.AVG(outIntfPktDiscardedPct),
avgInIntfPktErr = NetIntfError.STAT_AVG(SUM(inIntfPktErr):111),
avgOutIntfPktErr = NetIntfError.STAT_AVG(SUM(outIntfPktErr):111),
avgInIntfPktDiscarded = NetIntfError.STAT_AVG(SUM(inIntfPktDiscarded):111),
avgOutIntfPktDiscarded = NetIntfError.STAT_AVG(SUM(outIntfPktDiscarded):111)