Fortinet black logo

Administration Guide

Analyzing an incident

Analyzing an incident

In Incidents & Events/FortiSoC > Incidents, double-click an incident or right-click an incident and select Analysis.

The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

In the incident information panel, you can change information collected about the incident.

In order to assist SOC analysts during their investigation, comments and reports can be attached to incidents.

In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

The Analysis page includes the following information and features:

Panel

Description

Incident information

General information about the incident.

Click Edit to modify the following information:

  • Incident Number: The unique incident ID.
  • Incident Date/Time: The date and time that the incident was created.
  • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
  • Severity: The severity of the incident, including High, Medium, and Low.
  • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
  • Affected Endpoint: The endpoint associated with this incident.
  • Description: A description of the incident provided by the administrator.
  • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

Click Refresh to manually update the displayed information.

Affected Endpoint/User Information about the affected endpoint/users.
Executed Playbooks

The history of executed playbooks related to the incident.

Click Execute Playbook to run a playbook configured with the On_Demand trigger. See FortiSoC.

Audit History

Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

Click Expand All to see additional details.

Incident Timeline

The timeline of the events raised for the incident.

Scroll using your mouse wheel to change the displayed time frame.

Comments

Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

Enter a comment and click POST to create a new comment.

Existing comments can be edited and deleted by administrators.

Events

Displays the events that have been raised for this incident.

Reports

Attach and manage reports related to this incident.

See Adding reports to an incident.

Analyzing an incident

In Incidents & Events/FortiSoC > Incidents, double-click an incident or right-click an incident and select Analysis.

The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

In the incident information panel, you can change information collected about the incident.

In order to assist SOC analysts during their investigation, comments and reports can be attached to incidents.

In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

The Analysis page includes the following information and features:

Panel

Description

Incident information

General information about the incident.

Click Edit to modify the following information:

  • Incident Number: The unique incident ID.
  • Incident Date/Time: The date and time that the incident was created.
  • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
  • Severity: The severity of the incident, including High, Medium, and Low.
  • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
  • Affected Endpoint: The endpoint associated with this incident.
  • Description: A description of the incident provided by the administrator.
  • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

Click Refresh to manually update the displayed information.

Affected Endpoint/User Information about the affected endpoint/users.
Executed Playbooks

The history of executed playbooks related to the incident.

Click Execute Playbook to run a playbook configured with the On_Demand trigger. See FortiSoC.

Audit History

Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

Click Expand All to see additional details.

Incident Timeline

The timeline of the events raised for the incident.

Scroll using your mouse wheel to change the displayed time frame.

Comments

Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

Enter a comment and click POST to create a new comment.

Existing comments can be edited and deleted by administrators.

Events

Displays the events that have been raised for this incident.

Reports

Attach and manage reports related to this incident.

See Adding reports to an incident.