Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiAnalyzer 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Explorer

    Explorer

    The Explorer pane allows you to efficiently monitor events using a timeline and quick filters.

    You can perform the following actions from the toolbar:

    Devices

    Select devices from the dropdown to filter the pane.

    Time Period

    Select a time period to filter the pane. Select Custom to specify a time period not in the dropdown list.

    Refresh

    Click to manually refresh the pane. From the dropdown, you can select an automatic refresh interval.

    View Options

    Toggle visibility for the timeline and quick filters. The timeline and all quick filters are enabled by default.

    The Explorer pane includes the following sections:

    Timeline

    Displays the number of alerts by severity in a stacked bar chart on a timeline.

    A legend for the severity displays next to the timeline. You can click a severity level in the legend or on the bar chart to filter the pane by that severity level. Click the severity level again to remove the filter.

    Quick Filters

    Displays the available values to filter the pane by according to the following fields:

    • Event

    • Host

    • Source

    • Target

    • User

    The available values are impacted by the device, time period, and quick filters that are already set in the pane.

    Click a value in the quick filter widgets to filter the pane by that value. Click multiple values to apply the filters with an AND relationship. You can use the Search filter bar in the quick filter widgets to find specific values. To remove the filters, click Clear Filters in the quick filter widget.

    Related Events

    Displays the events in a table view. Use the search bar to find specific events in the table.

    You can perform the following actions on the events:

    Action

    Description

    Search in Log View

    Open Log View in a separate tab, filtered to display all logs associated with the event.

    Create New Incident

    Create a new incident from the event. See Raising an incident.

    Add to Existing Incident

    Attach the event to an existing incident. In the Attach to Incident dialog, enter an incident number or select an incident from the table and click OK.

    Suppress

    Suppress this event and identical or similar events according to suppression criteria. For more information, see Suppressing events.
    Note

    When applicable, the risk score will appear next to the endpoint or user in the quick filters and related events table.

    The following columns are available for the Related Events table view:

    Column

    Description

    Severity

    The event severity level.

    Last Occured

    How long ago the most recent log occured related to the event.

    Event

    The event subject line.

    Endpoint

    The affected endpoint.

    Source

    The source of the event activity. This is the actor or system that initiated the action; it could be a user, IP, device, or process. See additional explanation below the table.

    Target

    The affected target. This could be a device, user, service, or file. See additional explanation below the table.

    User

    The affected user.

    Event Type

    The event type, such as Traffic.

    Event Status

    The event status, such as Unhandled or Mitigated.

    Details

    A breakdown of target IPs and endpoints.

    Device Name

    The device that sent logs to trigger the event.

    Rule

    The rule that triggered the event.

    Event Handler

    The event handler containing the rule that triggered the event.

    The Source and Target fields can support incident triage and prioritization. They can help determine if a threat is external or internal, and they make it easier to understand the attack impact and intent.

    Examples:

    • If a hacker tries to break into a server:

      Source = hacker’s IP or device

      Target = the server

    • If a user logs into a system:

      Source = the user

      Target = the system being accessed

    FortiAnalyzer assigns the Source and Target based on the group-by fields in the triggered event handler.

    • Source: source IP, source user, process name

    • Target: destination IP, target host, affected user or object

    For more information about event handler configuration, see Creating a custom event handler.

    Event details pane

    You can double-click a record in the Related Events table to open an event details pane. This pane is named after the event, and it displays with the following tabs:

    Tab

    Description

    Event Details

    Displays the event details in a formatted view. You can toggle to view the raw JSON. You can use the search bar to find specific information within the event details.

    Tooltip

    In the Formatted View, you can click the value in the Endpoint field to display the endpoint details pane. For more information about this pane, see Asset List.

    Triggering Logs

    Displays a sample of logs that triggered the event. You can view the log details in this tab.

    Rule Summary

    Displays information about the event handler rule that triggered the event. This includes the rule name, description, log type, severity, pattern, threshold, and group by information.

    Comment

    Add or edit a comment for the event.

    Context

    Displays a timeline for related events. From the Entity dropdown, select the entity/entities to include in the timeline.

    Click events in the timeline to open the event details pane.

    The Actions dropdown in this pane includes the same actions as available from the Related Events table. See Related Events above.

    To support investigation, you can also access the event details pane from endpoints and users in the Asset Identity List. For more information, see Asset List and Identity List.

    Previous
    Next

    Explorer

    Explorer

    The Explorer pane allows you to efficiently monitor events using a timeline and quick filters.

    You can perform the following actions from the toolbar:

    Devices

    Select devices from the dropdown to filter the pane.

    Time Period

    Select a time period to filter the pane. Select Custom to specify a time period not in the dropdown list.

    Refresh

    Click to manually refresh the pane. From the dropdown, you can select an automatic refresh interval.

    View Options

    Toggle visibility for the timeline and quick filters. The timeline and all quick filters are enabled by default.

    The Explorer pane includes the following sections:

    Timeline

    Displays the number of alerts by severity in a stacked bar chart on a timeline.

    A legend for the severity displays next to the timeline. You can click a severity level in the legend or on the bar chart to filter the pane by that severity level. Click the severity level again to remove the filter.

    Quick Filters

    Displays the available values to filter the pane by according to the following fields:

    • Event

    • Host

    • Source

    • Target

    • User

    The available values are impacted by the device, time period, and quick filters that are already set in the pane.

    Click a value in the quick filter widgets to filter the pane by that value. Click multiple values to apply the filters with an AND relationship. You can use the Search filter bar in the quick filter widgets to find specific values. To remove the filters, click Clear Filters in the quick filter widget.

    Related Events

    Displays the events in a table view. Use the search bar to find specific events in the table.

    You can perform the following actions on the events:

    Action

    Description

    Search in Log View

    Open Log View in a separate tab, filtered to display all logs associated with the event.

    Create New Incident

    Create a new incident from the event. See Raising an incident.

    Add to Existing Incident

    Attach the event to an existing incident. In the Attach to Incident dialog, enter an incident number or select an incident from the table and click OK.

    Suppress

    Suppress this event and identical or similar events according to suppression criteria. For more information, see Suppressing events.
    Note

    When applicable, the risk score will appear next to the endpoint or user in the quick filters and related events table.

    The following columns are available for the Related Events table view:

    Column

    Description

    Severity

    The event severity level.

    Last Occured

    How long ago the most recent log occured related to the event.

    Event

    The event subject line.

    Endpoint

    The affected endpoint.

    Source

    The source of the event activity. This is the actor or system that initiated the action; it could be a user, IP, device, or process. See additional explanation below the table.

    Target

    The affected target. This could be a device, user, service, or file. See additional explanation below the table.

    User

    The affected user.

    Event Type

    The event type, such as Traffic.

    Event Status

    The event status, such as Unhandled or Mitigated.

    Details

    A breakdown of target IPs and endpoints.

    Device Name

    The device that sent logs to trigger the event.

    Rule

    The rule that triggered the event.

    Event Handler

    The event handler containing the rule that triggered the event.

    The Source and Target fields can support incident triage and prioritization. They can help determine if a threat is external or internal, and they make it easier to understand the attack impact and intent.

    Examples:

    • If a hacker tries to break into a server:

      Source = hacker’s IP or device

      Target = the server

    • If a user logs into a system:

      Source = the user

      Target = the system being accessed

    FortiAnalyzer assigns the Source and Target based on the group-by fields in the triggered event handler.

    • Source: source IP, source user, process name

    • Target: destination IP, target host, affected user or object

    For more information about event handler configuration, see Creating a custom event handler.

    Event details pane

    You can double-click a record in the Related Events table to open an event details pane. This pane is named after the event, and it displays with the following tabs:

    Tab

    Description

    Event Details

    Displays the event details in a formatted view. You can toggle to view the raw JSON. You can use the search bar to find specific information within the event details.

    Tooltip

    In the Formatted View, you can click the value in the Endpoint field to display the endpoint details pane. For more information about this pane, see Asset List.

    Triggering Logs

    Displays a sample of logs that triggered the event. You can view the log details in this tab.

    Rule Summary

    Displays information about the event handler rule that triggered the event. This includes the rule name, description, log type, severity, pattern, threshold, and group by information.

    Comment

    Add or edit a comment for the event.

    Context

    Displays a timeline for related events. From the Entity dropdown, select the entity/entities to include in the timeline.

    Click events in the timeline to open the event details pane.

    The Actions dropdown in this pane includes the same actions as available from the Related Events table. See Related Events above.

    To support investigation, you can also access the event details pane from endpoints and users in the Asset Identity List. For more information, see Asset List and Identity List.

    Previous
    Next