Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiAnalyzer 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Explorer

    Explorer

    The Explorer pane allows you to efficiently monitor alerts using a timeline and quick filters.

    You can perform the following actions from the toolbar:

    Option

    Description

    Devices

    Select devices from the dropdown to filter the pane.

    Time Period

    Select a time period to filter the pane. Select Custom to specify a time period not in the dropdown list.

    Refresh

    Click to manually refresh the pane. From the dropdown, you can select an automatic refresh interval.

    View Options

    Toggle visibility for the timeline and quick filters.

    The Explorer pane includes the following sections:

    Section

    Description

    Timeline

    Displays the number of alerts by severity in a stacked bar chart on a timeline.

    A legend for the severity displays next to the timeline. You can click a severity level in the legend or on the bar chart to filter the pane by that severity level. Click the severity level again to remove the filter.

    The timeline is disabled by default. You can enable it from the View Options dropdown.

    Quick Filters

    Displays the available values to filter the pane by according to the following fields:

    • Alert: Displays the specific type or name of the triggered security alert.

    • Host: Identifies the specific device or asset where the event was originally detected or logged.

    • Source: Shows the originating IP address or hostname that initiated the activity or traffic.

    • Target: Specifies the destination IP address, hostname, or system that the event was directed toward.

    • User: Indicates the specific username or account identity associated with the activity captured in the event.

    The available values are impacted by the device, time period, and quick filters that are already set in the pane. The total number of records is displayed at the top of the quick filter.

    Click a value in the quick filter widgets to filter the pane by that value. Click multiple values to apply the filters with an AND relationship. You can use the Search filter bar in the quick filter widgets to find specific values. To remove filters, click the X in the search bar for the quick filter widget.

    The quick filters are enabled by default. You can disable the quick filters individually from the View Options dropdown.

    Related Alerts

    Displays the alerts in a table view. Use the search bar to find specific alerts in the table.

    You can perform the following actions on the alerts:

    Action

    Description

    Search in Log View

    Open Log View in a separate tab, filtered to display all logs associated with the alert.

    Create New Incident

    Create a new incident from the alert. See Raising an incident.

    Add to Existing Incident

    Attach the alert to an existing incident. In the Attach to Incident dialog, enter an incident number or select an incident from the table and click OK.

    Suppress

    Suppress this alert and identical or similar alerts according to suppression criteria. For more information, see Suppressing alerts.

    When applicable, the risk score will appear next to the endpoint or user in the quick filters and related alerts table.

    The following columns are available for the Related Alerts table view:

    Column

    Description

    Severity

    The alert severity level.

    Last Occured

    How long ago the most recent log occured related to the alert.

    Alert

    The alert subject line.

    Endpoint

    The affected endpoint.

    Source

    The source of the alert activity. This is the actor or system that initiated the action; it could be a user, IP, device, or process. See additional explanation below the table.

    Target

    The affected target. This could be a device, user, service, or file. See additional explanation below the table.

    User

    The affected user.

    Alert Type

    The alert type, such as Traffic.

    Alert Status

    The alert status, such as Unhandled or Mitigated.

    Details

    A breakdown of target IPs and endpoints.

    Device Name

    The device that sent logs to trigger the alert.

    Rule

    The rule that triggered the alert.

    Alert Handler

    The alert handler containing the rule that triggered the alert.

    The Source and Target fields can support incident triage and prioritization. They can help determine if a threat is external or internal, and they make it easier to understand the attack impact and intent.

    Examples:

    • If a hacker tries to break into a server:

      Source = hacker’s IP or device

      Target = the server

    • If a user logs into a system:

      Source = the user

      Target = the system being accessed

    FortiAnalyzer assigns the Source and Target based on the group-by fields in the triggered alert handler.

    • Source: source IP, source user, process name

    • Target: destination IP, target host, affected user or object

    For more information about alert handler configuration, see Creating a custom alert handler.

    Alert details pane

    You can double-click a record in the Related Alerts table to open an alert details pane.

    This pane is named after the alert, and it displays with the following tabs:

    Tab

    Description

    Alert Details

    Displays the alert details in a formatted view. You can toggle to view the raw JSON. You can use the search bar to find specific information within the alert details.

    At the bottom of the Formatted View, you can add or edit a Note for the alert.

    In the Formatted View, you can click the value in the Endpoint field to display the endpoint details pane. For more information about this pane, see Asset List.

    Triage agent

    The triage agent is available with a valid license for FortiAI. For more information, see Alert triage agent.

    Triggering Logs

    Displays a sample of logs that triggered the alert. You can view the log details in this tab.

    Rule Summary

    Displays information about the alert handler rule that triggered the alert. This includes the rule name, description, log type, severity, pattern, threshold, and group by information.

    Timeline

    Displays a timeline for related alerts. From the Entity dropdown, select the entity/entities to include in the timeline.

    Click alerts in the timeline to open the alert details pane.

    The Actions dropdown in this pane includes the same actions as available from the Related Alerts table. See Related Alerts above.

    To support investigation, you can also access the alert details pane from endpoints and users in the Asset Identity List. For more information, see Asset List and Identity List.

    Previous
    Next

    Explorer

    Explorer

    The Explorer pane allows you to efficiently monitor alerts using a timeline and quick filters.

    You can perform the following actions from the toolbar:

    Option

    Description

    Devices

    Select devices from the dropdown to filter the pane.

    Time Period

    Select a time period to filter the pane. Select Custom to specify a time period not in the dropdown list.

    Refresh

    Click to manually refresh the pane. From the dropdown, you can select an automatic refresh interval.

    View Options

    Toggle visibility for the timeline and quick filters.

    The Explorer pane includes the following sections:

    Section

    Description

    Timeline

    Displays the number of alerts by severity in a stacked bar chart on a timeline.

    A legend for the severity displays next to the timeline. You can click a severity level in the legend or on the bar chart to filter the pane by that severity level. Click the severity level again to remove the filter.

    The timeline is disabled by default. You can enable it from the View Options dropdown.

    Quick Filters

    Displays the available values to filter the pane by according to the following fields:

    • Alert: Displays the specific type or name of the triggered security alert.

    • Host: Identifies the specific device or asset where the event was originally detected or logged.

    • Source: Shows the originating IP address or hostname that initiated the activity or traffic.

    • Target: Specifies the destination IP address, hostname, or system that the event was directed toward.

    • User: Indicates the specific username or account identity associated with the activity captured in the event.

    The available values are impacted by the device, time period, and quick filters that are already set in the pane. The total number of records is displayed at the top of the quick filter.

    Click a value in the quick filter widgets to filter the pane by that value. Click multiple values to apply the filters with an AND relationship. You can use the Search filter bar in the quick filter widgets to find specific values. To remove filters, click the X in the search bar for the quick filter widget.

    The quick filters are enabled by default. You can disable the quick filters individually from the View Options dropdown.

    Related Alerts

    Displays the alerts in a table view. Use the search bar to find specific alerts in the table.

    You can perform the following actions on the alerts:

    Action

    Description

    Search in Log View

    Open Log View in a separate tab, filtered to display all logs associated with the alert.

    Create New Incident

    Create a new incident from the alert. See Raising an incident.

    Add to Existing Incident

    Attach the alert to an existing incident. In the Attach to Incident dialog, enter an incident number or select an incident from the table and click OK.

    Suppress

    Suppress this alert and identical or similar alerts according to suppression criteria. For more information, see Suppressing alerts.

    When applicable, the risk score will appear next to the endpoint or user in the quick filters and related alerts table.

    The following columns are available for the Related Alerts table view:

    Column

    Description

    Severity

    The alert severity level.

    Last Occured

    How long ago the most recent log occured related to the alert.

    Alert

    The alert subject line.

    Endpoint

    The affected endpoint.

    Source

    The source of the alert activity. This is the actor or system that initiated the action; it could be a user, IP, device, or process. See additional explanation below the table.

    Target

    The affected target. This could be a device, user, service, or file. See additional explanation below the table.

    User

    The affected user.

    Alert Type

    The alert type, such as Traffic.

    Alert Status

    The alert status, such as Unhandled or Mitigated.

    Details

    A breakdown of target IPs and endpoints.

    Device Name

    The device that sent logs to trigger the alert.

    Rule

    The rule that triggered the alert.

    Alert Handler

    The alert handler containing the rule that triggered the alert.

    The Source and Target fields can support incident triage and prioritization. They can help determine if a threat is external or internal, and they make it easier to understand the attack impact and intent.

    Examples:

    • If a hacker tries to break into a server:

      Source = hacker’s IP or device

      Target = the server

    • If a user logs into a system:

      Source = the user

      Target = the system being accessed

    FortiAnalyzer assigns the Source and Target based on the group-by fields in the triggered alert handler.

    • Source: source IP, source user, process name

    • Target: destination IP, target host, affected user or object

    For more information about alert handler configuration, see Creating a custom alert handler.

    Alert details pane

    You can double-click a record in the Related Alerts table to open an alert details pane.

    This pane is named after the alert, and it displays with the following tabs:

    Tab

    Description

    Alert Details

    Displays the alert details in a formatted view. You can toggle to view the raw JSON. You can use the search bar to find specific information within the alert details.

    At the bottom of the Formatted View, you can add or edit a Note for the alert.

    In the Formatted View, you can click the value in the Endpoint field to display the endpoint details pane. For more information about this pane, see Asset List.

    Triage agent

    The triage agent is available with a valid license for FortiAI. For more information, see Alert triage agent.

    Triggering Logs

    Displays a sample of logs that triggered the alert. You can view the log details in this tab.

    Rule Summary

    Displays information about the alert handler rule that triggered the alert. This includes the rule name, description, log type, severity, pattern, threshold, and group by information.

    Timeline

    Displays a timeline for related alerts. From the Entity dropdown, select the entity/entities to include in the timeline.

    Click alerts in the timeline to open the alert details pane.

    The Actions dropdown in this pane includes the same actions as available from the Related Alerts table. See Related Alerts above.

    To support investigation, you can also access the alert details pane from endpoints and users in the Asset Identity List. For more information, see Asset List and Identity List.

    Previous
    Next