SIEM

Expand all | Collapse all

FortiSIEM - Rule Exceptions not working

  • 1.  FortiSIEM - Rule Exceptions not working

    Posted May 29, 2020 02:10 AM
    Hi,

    I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

    I cloned the rule and set few exception in the Exception Section as follows,



    Moreover I have created few lists for easy management as follows,


    This is one of those list I have created.

    I tried the rule testing feature also but it won't whitelist the domains I excluded.

    Since then I tried excluding in rule condition section as follows,


    This won't work either. Still triggering the alarms for the whitelisted domains as well.

    Following is a sample log that I'm trying to whitelist


    Any suggestions on this matter?

    Regards,
    Isuru


  • 2.  RE: FortiSIEM - Rule Exceptions not working

    GROUP ADMIN
    Posted Jun 18, 2020 02:28 AM
    Hi Isuru, Sorry for the delay.

    Can you send me that test event? I want to test this out in the lab.

    Looking at the rule, this should work.

    What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.

    Thanks

    Dan


  • 3.  RE: FortiSIEM - Rule Exceptions not working

    Posted Jun 22, 2020 03:32 AM
      |   view attached
    RAW logs

    Attachment(s)

    gz
    sample_logs.csv.gz   8K 1 version


  • 4.  RE: FortiSIEM - Rule Exceptions not working

    Posted Jun 25, 2020 03:18 PM

    Hi,

    O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.

    Try to pass 1 Folder on rule exceptions

    like this  A IN A OR 
    A IN B OR





  • 5.  RE: FortiSIEM - Rule Exceptions not working

    Posted Jun 25, 2020 08:54 PM
    Hi Hugo,

    Thanks for the insight. I'll try it and let you know.

    Regards,
    Isuru


  • 6.  RE: FortiSIEM - Rule Exceptions not working

    Posted Jun 25, 2020 09:52 PM
    Hi Hugo,

    I have setup the rule exceptions as you mentioned,

    and added the "Destination Host name" attribute to the group by fields as follows,



    But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,




    Still the rule will trigger for an IP in the range as follows,


    Cheers,
    Isuru


  • 7.  RE: FortiSIEM - Rule Exceptions not working

    Posted 29 days ago
    Hi Isuru,

    We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
    It seams its a bug because redis don't pass the objects to the workers. 

    In our case we resolve the issue by killing the Java

    SSH to Super.
    Killall -9 java
    phstatus -a

    Regards
    Hugo Pinto
    Claranet Portugal


  • 8.  RE: FortiSIEM - Rule Exceptions not working

    Posted 14 days ago
    The bug where redis caching doesn't receive updated copies of objects from the super on workers should be fixed in 5.3.2. This only occurs if you restarted redis after java (aka appserver) has already been started. The proper ordering of start is redis first, and then app server.

    As for exceptions not working, on upgrade certain natural_ids for objects in the postgres db contain special characters that aren't handled correctly by phQueryMaster/Worker.

    Fortinet will have to guide you on removing %2d (for -) for certain object names in the natural id, or the char representation of whitespace for natural ids of certain objects.