IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Event ID confusion

    Posted Fri December 02, 2022 09:57 AM
    Hey,

    I was investigating logs coming from a Fortigate firewall, I noticed 4 different firewall actions,( accept / close / client-reset / server-reset), always refers to the same Event ID "Allow Action".
    You will find below a screenshots describing the use case.

    That's confusing me, can someone please help me and explains to me what does it mean ?

    Thank you,

    ------------------------------
    Chawki Ben Salem
    Security Operations Center Analyst
    ------------------------------


  • 2.  RE: Event ID confusion

    Posted Sun December 04, 2022 11:58 PM
    Hi,

    Did you check the payload of these 4 events? Is there any similarity that you notice?

    Would it be possible for you to share the payload of these 4 events?  Just looking at the screenshot, it would be difficult to say why these are mapped in a single category.

    ------------------------------
    Prabir Meher
    ------------------------------

    Original Message