Rules Engine in FortiSIEM: The rules engine evaluates incoming events based on defined conditions
to detect incidents and anomalies.
Aggregation Condition: The aggregation condition instructs FortiSIEM to summarize and count the
matching evaluated data.
Function: Aggregation is used to group events based on specified criteria and then perform
operations such as counting the number of occurrences within a defined time window.
Purpose: This allows for the detection of patterns and anomalies, such as a high number of failed
login attempts within a short period.
Reference: FortiSIEM 6.3 User Guide, Rules Engine section, which explains how aggregation is used
to summarize and count matching data.
