Alerts not generated despite matching FortiGate logs and Sigma rules

[arefalabsi]

Version

2.4.141

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

326

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I’m currently testing FortiGate logs integration with Security Onion. The logs are successfully received and parsed — as shown in the attached dashboard screenshot — and I can confirm that the log fields match the conditions specified in my Sigma rules.
However, even though there is a clear match between the received logs and the detection rules, no alerts appear in the Alerts tab.
I’ve attached the following for reference:
Screenshot from the Security Onion dashboard showing that logs are received correctly.
Two Sigma rules I created (in a text file).
Sample FortiGate logs (as images).
Could anyone please help me understand why alerts are not showing up even though the logs and rules match?

sigma rules.txt

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

When you convert in the custom rule and Test in Kibana what does the output show?

[arefalabsi]

I observed that the data matches correctly when queried in Kibana, but creating a detection rule does not generate any alerts.

[cm-ops]

What does your sigma rule look like?

[arefalabsi]

I’ve already added the Sigma rules in a text file at the end of my previous message.Do I need to resend it?

[cm-ops]

I see it, shouldn't your logsource be product: fortinet and category: firewall?

https://sigmahq.io/docs/basics/log-sources.html

Have you tried breaking up into two selections (selection1 and selection2) and setting the condition as selection1 and selection2?

[arefalabsi]

After further verification, we identified another issue related to the machine itself, specifically concerning its system resources. Despite attempts to expand the resources, the problem persists. I will open a separate discussion to address this matter.

Thank you for your support and cooperation.
Your response was extremely helpful, as it prompted us to review some of the previous rules that had generated similar alerts, which reassured us that there is no issue with the way the rule was written on our side.Your input also broadened our understanding and highlighted aspects that were not initially visible to us.