Message Image

Log in

Skip to main content (Press Enter).

Skip auxiliary navigation (Press Enter).

IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community

Skip main navigation (Press Enter).

IBM Security QRadar

View Only

Expand all | Collapse all

Event ID confusion

Chawki Ben SalemFri December 02, 2022 09:57 AM

Hey, I was investigating logs coming from a Fortigate firewall, I noticed 4 different firewall actions,( ...

Prabir MeherSun December 04, 2022 11:58 PM

Hi, Did you check the payload of these 4 events? Is there any similarity that you notice? Would it ...

1. Event ID confusion

0 Like
Chawki Ben Salem
Posted Fri December 02, 2022 09:57 AM
| view attached (4)

Reply
Hey,

I was investigating logs coming from a Fortigate firewall, I noticed 4 different firewall actions,( accept / close / client-reset / server-reset), always refers to the same Event ID "Allow Action".
You will find below a screenshots describing the use case.

That's confusing me, can someone please help me and explains to me what does it mean ?

Thank you,

------------------------------
Chawki Ben Salem
Security Operations Center Analyst
------------------------------
2. RE: Event ID confusion

0 Like
Prabir Meher
Posted Sun December 04, 2022 11:58 PM

Reply
Hi,

Did you check the payload of these 4 events? Is there any similarity that you notice?

Would it be possible for you to share the payload of these 4 events? Just looking at the screenshot, it would be difficult to say why these are mapped in a single category.

------------------------------
Prabir Meher
------------------------------

Original Message

Powered by Higher Logic