Fortigate_Critical_Event
ID: 100217
Description:
A Fortigate critical event has been detected
Repository: Fluency Group: Fortigate Type: event
Default Status:
Enabled
| Tags: |
|---|
| Fortigate |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @fortigate.crlevel | critical |
| @fortigate.direction | outgoing |
| @fortigate.srcip | entity: [ HOME_NET ] |
| Field | MUST NOT hit |
|---|---|
| @fortigate.eventtype | anomaly |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fortigate.srcip | ip | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_NORMAL | 100 | alert |
Attributes:
| Alias | Key |
|---|---|
| AttackType | @fortigate.attack |
| SrcIP | @fortigate.srcip |
| DestIP | @fortigate.dstip |
| SrcCountry | @fortigate.srccountry |
| Action | @fortigate.action |
| Message | @fortigate.msg |
| Subtype | @fortigate.subtype |
| Reference | @fortigate.ref |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| SourceIP | 10 days | @fortigate.srcip |
| Risks: | ML_NEW_IP | |
| NewAttack | 10 days | @fortigate.attack |
| Risks: | ML_NEW_ALERT |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 23 13:55:03 EDT |
| em*n@fluencysecurity.com | 2021 Mar 23 14:27:02 EDT |
| em*n@fluencysecurity.com | 2021 Mar 24 17:32:57 EDT |
| em*n@fluencysecurity.com | 2021 Jun 17 14:45:52 EDT |
| ke*y@fluencysecurity.com | 2021 Dec 17 08:38:55 EST |
| ke*y@fluencysecurity.com | 2021 Dec 17 17:22:20 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)