Adding fields in FortiSIEM

By default, a detection event sent by Kaspersky CyberTrace contains the IP address of the device that sent the original event and a field for the detected indicator. However, FortiSIEM does not contain fields for storing this IP address and indicator. This section describes how to add a field for storing values that you need in FortiSIEM.

To add a field for storing an IP address and detected indicator in FortiSIEM:

1. Open the FortiSIEM web console.
2. Select Admin > Device Support > Event Attribute.
3. Click New.

   The Add Event Attribute Type Definition window opens.

4. Specify the following information:
   • In the Name field, specify dvcIpAddr.
   • In the Display Name field, specify Device IP Address.
   • In the Value Type field, select IP.
   • Fill in the rest of the fields as you wish.

   

   Adding a new field in FortiSIEM

5. Click Save.
6. Click New.
7. In the Add Event Attribute Type Definition window that opens, specify the following information:
   • In the Name field, specify detectedIndicator.
   • In the Display Name field, specify Detected indicator.
   • In the Value Type field, select String.
   • Fill in the rest of the fields as you wish.
8. Click Save.
9. Click Apply.

For more information about adding a new field in FortiSIEM, visit http://help.fortinet.com/fsiem/5-1-1/Online-Help/HTML5_Help/Working_with_Event_Attributes.htm.