Link Search Menu Expand Document

Fortigate_Critical_Event

ID: 100217

Description:

A Fortigate critical event has been detected

Repository: Fluency Group: Fortigate Type: event

Default Status:

Enabled

Tags:
Fortigate
 

Selector:

Query:

Filters:

Field MUST hit
@fortigate.crlevel critical
@fortigate.direction outgoing
Field MUST NOT hit
@fortigate.eventtype anomaly

Behavior Rule:

Key Type Behavior Category
@fortigate.srcip ip security alert

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
AttackType @fortigate.attack
SrcIP @fortigate.srcip
DestIP @fortigate.dstip
SrcCountry @fortigate.srccountry
Action @fortigate.action
Message @fortigate.msg
Subtype @fortigate.subtype
Reference @fortigate.ref

Correlation Rules:

First Occurrence:

Name Window Fields
SourceIP 10 days @fortigate.srcip
  Risks: ML_NEW_IP
NewAttack 10 days @fortigate.attack
  Risks: ML_NEW_ALERT

History:

User Date
em*n@fluencysecurity.com 2021 Mar 23 13:55:03 EDT
em*n@fluencysecurity.com 2021 Mar 23 14:27:02 EDT
em*n@fluencysecurity.com 2021 Mar 24 17:32:57 EDT
em*n@fluencysecurity.com 2021 Jun 17 14:45:52 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)