IBM Security QRadar

Hey,

I was investigating logs coming from a Fortigate firewall, I noticed 4 different firewall actions,( accept / close / client-reset / server-reset), always refers to the same Event ID "Allow Action".
You will find below a screenshots describing the use case.

That's confusing me, can someone please help me and explains to me what does it mean ?

Thank you,

------------------------------
Chawki Ben Salem
Security Operations Center Analyst
------------------------------

Hi,

Did you check the payload of these 4 events? Is there any similarity that you notice?

Would it be possible for you to share the payload of these 4 events?  Just looking at the screenshot, it would be difficult to say why these are mapped in a single category.

------------------------------
Prabir Meher
------------------------------

Original Message:
Sent: Fri December 02, 2022 09:37 AM
From: Chawki Ben Salem
Subject: Event ID confusion

Hey,

I was investigating logs coming from a Fortigate firewall, I noticed 4 different firewall actions,( accept / close / client-reset / server-reset), always refers to the same Event ID "Allow Action".
You will find below a screenshots describing the use case.

That's confusing me, can someone please help me and explains to me what does it mean ?

Thank you,

------------------------------
Chawki Ben Salem
Security Operations Center Analyst
------------------------------