FortiSIEM Rules

Sudden Increase in Network Interface Errors

Rule ID

PH_Rule_Stat_10

Default Status

Enabled

Description

Detects anomaly in interface errors seen on a router/switch port. Over a 30 minute window, either the total inbound or outbound interface errored packets or discarded packets is more than 2 standard deviations away from the mean. To detect significant issues, the average packet error or discarded packet error is more than 1 percent.

Severity

7

Category

Performance

MITRE ATT&CK® Tactics

Interface

MITRE ATT&CK® Techniques

No Technique Specified

Impacts

Network

Data Source

FortiSIEM Profiling

Detection

Profiling

Remediation Guidance

Identify the root cause of network errors. May be the interface card has some issue or MTU or other L1 configuration has issues.

Time Window

If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.

1800 seconds

Trigger Conditions

If the following defined pattern/s occur within a 1800 second time window.

NetIntfError

SubPattern Definitions

SubPattern Name: NetIntfError

This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.

SubPattern Query

This is the query logic that matches incoming events

eventType IN ("PH_DEV_MON_NET_INTF_UTIL","PH_DEV_MON_FORTIGATE_INTF_UTIL","PH_DEV_MON_FORTIAP_INTF_UTIL")

Group by Attributes

This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID

hostName,hostIpAddr,intfName

Aggregate Constraint

This is most typically a numerical constraint that defines when the rule should trigger an incident

(AVG(inIntfPktErrPct) >= 1.0 AND STAT_AVG(SUM(inIntfPktErr):111) > 0 AND SUM(inIntfPktErr) >=  2.0 * STAT_AVG(SUM(inIntfPktErr):111)) OR
	  (AVG(outIntfPktErrPct) >= 1.0 AND STAT_AVG(SUM(outIntfPktErr):111) > 0 AND SUM(outIntfPktErr) >= 2.0 * STAT_AVG(SUM(outIntfPktErr):111)) OR
	  (AVG(inIntfPktDiscardedPct) >= 1.0 AND STAT_AVG(SUM(inIntfPktDiscarded):111) > 0 AND SUM(inIntfPktDiscarded) >= 2.0 * STAT_AVG(SUM(inIntfPktDiscarded):111)) OR
	  (AVG(outIntfPktDiscardedPct) >= 1.0 AND STAT_AVG(SUM(outIntfPktDiscarded):111) > 0 AND SUM(outIntfPktDiscarded) >= 2.0 * STAT_AVG(SUM(outIntfPktDiscarded):111))

Incident Attribute Mapping

This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.

The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern

 hostName = NetIntfError.hostName,
 hostIpAddr = NetIntfError.hostIpAddr,
 intfName = NetIntfError.intfName,
 inIntfPktErr = NetIntfError.SUM(inIntfPktErr),
 outIntfPktErr = NetIntfError.SUM(outIntfPktErr),
 inIntfPktDiscarded = NetIntfError.SUM(inIntfPktDiscarded),
 outIntfPktDiscarded = NetIntfError.SUM(outIntfPktDiscarded),
 inIntfPktErrPct = NetIntfError.AVG(inIntfPktErrPct),
 outIntfPktErrPct = NetIntfError.AVG(outIntfPktErrPct),
 inIntfPktDiscardedPct = NetIntfError.AVG(inIntfPktDiscardedPct),
 outIntfPktDiscardedPct = NetIntfError.AVG(outIntfPktDiscardedPct),
 avgInIntfPktErr = NetIntfError.STAT_AVG(SUM(inIntfPktErr):111),
 avgOutIntfPktErr = NetIntfError.STAT_AVG(SUM(outIntfPktErr):111),
 avgInIntfPktDiscarded = NetIntfError.STAT_AVG(SUM(inIntfPktDiscarded):111),
 avgOutIntfPktDiscarded = NetIntfError.STAT_AVG(SUM(outIntfPktDiscarded):111)