FortiGate / FortiOS

FortiManager

FortiAnalyzer

User Guide

FortiSIEM User Guide
TABLE OF CONTENTS
Overview
FortiSIEM Releases
- What's New in 7.5.0
- What's New in 7.4.2
- What's New in 7.4.1
- What's New in 7.4.0
- What's New in 7.3.5
- What's New in 7.3.4
- What's New in 7.3.3
- What's New in 7.3.2
- What's New in 7.3.1
- What's New in 7.3.0
- What's New in 7.2.7
- What's New in 7.2.6
- What's New in 7.2.5
- What's New in 7.2.4
- What's New in 7.2.3
- What's New in 7.2.2
- What's New in 7.2.1
- What's New in 7.2.0
- What's New in 7.1.9
- What's New in 7.1.8
- What's New in 7.1.7
- What's New in 7.1.6
- What's New in 7.1.5
- What's New in 7.1.4
- What's New in 7.1.3
- What's New in 7.1.2
- What's New in 7.1.1
- What's New in 7.1.0
- What's New in 7.0.4
- What's New in 7.0.3
- What's New in 7.0.2
- What's New in 7.0.1
- What's New in 7.0.0
Windows Agent Releases
Content Pack Updates
Key Concepts
Getting Started
Advanced Operations
- CMDB
- Incidents and Cases
- Device Support
- Rules, Reports, and Dashboards
- Advanced Health System
- Managing FortiSIEM
Administration
- Setup
- Device Support
- Health
- User Activity
- License
- Content Update
- Settings
Managing CMDB
- Devices
- Applications
- Users
- Business Services
- CMDB Reports
Managing Resources
- Reports
  - Viewing System Reports
  - Creating New Reports
  - Running System Reports
  - Working With Report Design Templates
  - Scheduling Reports
  - Importing and Exporting Reports
  - Importing and Exporting Report Definitions
- Saved Report Results
- ReportAI
- Rules
  - Viewing Rules
  - Creating Rules
  - Activating and Deactivating a Rule
  - Testing a Rule
  - Exporting and Importing Rule Definitions
  - Importing Sigma Rules
- Machine Learning Jobs
  - Viewing Machine Learning Jobs
  - Editing a Machine Learning Job
  - Deleting a Machine Learning Job
- Watch Lists
  - System-defined Watch List
  - Creating a Watch List
  - Modifying a Watch List
  - Using a Watch List
  - Exporting and Importing Watch Lists
- Lookup Tables
  - Adding a Lookup Table
  - Deleting a Lookup Table
  - Working with Lookup Table Data
- External Datasets
  - Configuring AWS Security Lake
  - Configuring AWS S3
  - Configuring MySQL
  - Configuring Fortinet FortiEDR
  - Configuring PostgreSQL
  - Configuring Snowflake
  - Provider and Dataset Import / Export Operations
- Osquery
  - Viewing osquery Templates
  - Creating osquery Templates
  - Running osquery
- Automation
  - Playbooks
  - Playbook Assets
  - Content Hub
  - Solution Packs
  - Remediations
  - FortiSOAR Playbooks
    - Viewing FortiSOAR Playbooks
    - Updating FortiSOAR Playbooks
  - FortiSOAR Connectors
    - Viewing Connectors
    - Updating Connectors
- Malware Domains
  - Adding a Malware Domain
  - Modifying a Malware Domain
  - Deleting a Malware Domain
  - Importing Malware Domains
  - Viewing Malware Domains
- Malware IPs
  - Adding a Malware IP
  - Modifying a Malware IP
  - Deleting a Malware IP
  - Importing Malware IPs
  - Viewing Malware IPs
- Malware Hash
  - Adding a Malware Hash
  - Modifying a Malware Hash
  - Deleting a Malware Hash
  - Importing/Updating User-defined Malware Hash
  - Viewing Malware Hash
- Malware Processes
  - Creating a Malware Process Group
  - Adding a Malware Process
  - Modifying a Malware Process
  - Deleting a Malware Process
  - Importing Malware Processes
  - Viewing Malware Processes
- Malware URLs
  - Adding a Malware URL
  - Modifying a Malware URL
  - Deleting a Malware URL
  - Importing Malware URLs
  - Viewing Malware URLs
- Anonymity Network
  - Adding Anonymity Networks
  - Modifying Anonymity Networks
  - Updating Anonymity Networks
- Country Groups
  - Creating a Country Group
  - Adding a Country Group
  - Modifying a Country Group
  - Deleting a Country Group
  - Changing the Home Country
- Default Password
  - Adding a Default Password
  - Modifying a Default Password
  - Importing and Exporting a Default Password
- Event Types
  - Adding an Event Type
  - Modifying an Event Type
  - Deleting an Event Type
- User Agents
  - Adding User Agents
  - Modifying User Agents
  - Importing and Exporting User Agents
- Networks
  - Adding a Network
  - Modifying a Network
  - Deleting a Network
  - Importing / Exporting Networks
- Protocols
  - Adding a Protocol
  - Modifying a Protocol
  - Deleting a Protocol
Working with Built-In External Threat Feeds
- Working with AbuseIPDB Threat Feed
- Working with AlienVault OTX Threat Feeds
- Working with ANY.RUN Threat Feeds
- Working with BlocklistDE Threat Feed
- Working with C2 Tracker Threat Feed
- Working with CertPL ThreatFeed
- Working with CINS Score Threat Feed
- Working with Dragos Worldview Threat Feeds
- Working with Emerging Threats Threat Feed
- Working with FireHOL Threat Feed
- Working with FortiGuard Threat Feeds
- Working with FortiRecon Threat Feeds
- Working with FortiSandbox Threat Feeds
- Working with FortiSOAR Threat Feeds
- Working with GreenSnow Threat Feed
- Working with IPsum Threat Feed
- Working with MalwareBazaar Threat Feed
- Working with Malware Patrol Threat Feeds
- Working with Mandiant Threat Feeds
- Working with MISP Threat Feeds
- Working with OpenCTI Threat Feeds
- Working with OpenPhish Threat Feed
- Working with Proofpoint Threat Feed
- Working with Snort Threat Feed
- Working with ThreatConnect Threat Feeds
- Working with ThreatStream Threat Feeds
- Working with TweetFeed Threat Feeds
- Working with URLhaus Threat Feed
Working with Custom External Threat Feeds
- Custom Malware IP Threat Feed
- Custom Malware Domain Threat Feed
- Custom Malware URL Threat Feed
- Custom Malware Hash Threat Feed
- Creating Python Script to download Custom Threat Feed
- Custom Malware Processes
Working with Cases
- Creating a Case Manually
- Creating a Case Automatically
- Viewing All Cases
- Searching Cases
- Viewing a Case in Depth
- Acting on a Case
- Case Dashboard
- Case Report
- Steps to Update Case Escalation from 6.x-7.1.x to 7.2.x
Working with Incidents
- Overview
- List View
- Risk View
- Explorer View
- MITRE ATT&CK View
- UEBA View
- Investigating Incidents
- Automated Incident Resolution Recommendation
- Lookups Via External Websites
- CVE-Based IPS False Positive Analysis
- Remediating an Incident using a Script
- Executing a FortiSOAR Playbook on an Incident
- Executing a Playbook with Automation Service
- Running a FortiSOAR Connector on an Incident
- Troubleshooting Incident Trigger
Working with Analytics Search
- Overview
- Running a Built-in Historical Search
- Creating a New Search
- Creating a Nested Search
- Viewing Real-time Search Results
- Viewing Historical Search Results
- Searches Using Pre-computed Results
- Working with Search Results
Advanced Search
- Overview
- Running a Built-in Advanced Search
- Creating a New Advanced Search
- Fixing SQL Query Syntax Errors with FortiAI
- Miscellaneous Advanced Search Operations
- Advanced Search Examples
Federated Search
- Overview
- Observables and Mappings
- Creating a Federated Search
- Creating a Federated Search from Incidents or Analytics
- Miscellaneous Federated Search Operations
- Working with Federated Search Results
Machine Learning
- Overview
- Anomaly Detection
- Classification
- Clustering
- Forecasting
- Regression
Automation Audit Events
Working with Dashboards
- General Operations
- Widget Dashboard
- Summary Dashboard
- Business Service Dashboard
- Identity and Location Dashboard
- Interface Usage Dashboard
- PCI Logging Status Dashboard
Managing Tasks
FortiAI
- FortiAI Chat
- Incident Analysis
- Case Analysis
- Log Analysis
- Advanced Search SQL Helper
FortiSIEM Manager
- FortiSIEM Manager Incidents
  - FortiSIEM Manager Incidents Overview View
  - FortiSIEM Manager Incidents - List View
- FortiSIEM Manager CMDB Users
  - FortiSIEM Manager CMDB Adding Users
  - FortiSIEM Manager - Editing User Information
- FortiSIEM Manager Resources
- FortiSIEM Manager Admin
Appendix
- Administrative Tools and Information
- ClickHouse Usage Notes
- Configuration Notes
- Elasticsearch Usage Notes
- Examples of Custom Performance Monitors
- Exporting QRadar Logs to FortiSIEM
- FortiEMS Endpoint Tagging
- FortiSIEM Attribute to Observable Mappings
- GUI Notes
  - Flash to HTML5 GUI Mapping
  - FortiSIEM Charts and Views
- FortiSOAR Integration Notes
  - Configuring FortiSOAR for FortiSIEM Integration
  - Writing FortiSIEM Compatible FortiSOAR Playbooks
- Functions in Analytics
- Knowledge Base
- License Enforcement
- Parser Specification
- Python Threat Feed Framework
- Sample Windows Agent Logs
- UEBA Information
- Windows Agent System Variables

Home FortiSIEM 7.5.0 User Guide

7.5.0

Viewing osquery Templates

FortiSIEM comes with default system defined osquery templates. These templates are available on the Resources > Osquery page. Pre-built Linux osquery templates are available under Resources > Osquery > Linux. Pre-built Windows osquery templates are available under Resources > Osquery > Windows. These templates, and any newly created osquery templates appear on this page. To select the column headings that appear in the table, click on the Column () drop-down, and add/remove the ü for any column heading you wish to include/remove from the table.

Column	Description
Name	The name of the osquery template.
Description	A description of what the osquery template does.
Osquery	The actual osquery.
Frequency	The frequency that the osquery template is run.
Event Type	The event type name associated with any events that occur under the executed osquery.
Severity	The configured severity for the osquery template, ranging from 1 to 10, with 10 being the highest severity.
Scope	An osquery template is either a System template (a default osquery template), or a User template (created by the user).

Viewing osquery Templates

Column	Description
Name	The name of the osquery template.
Description	A description of what the osquery template does.
Osquery	The actual osquery.
Frequency	The frequency that the osquery template is run.
Event Type	The event type name associated with any events that occur under the executed osquery.
Severity	The configured severity for the osquery template, ranging from 1 to 10, with 10 being the highest severity.
Scope	An osquery template is either a System template (a default osquery template), or a User template (created by the user).

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Viewing osquery Templates

Viewing osquery Templates

Viewing osquery Templates

Viewing osquery Templates