Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 6.4.0 Administration Guide
    6.4.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Analyzing an incident

    Analyzing an incident

    In Incidents & Events/FortiSoC > Incidents, double-click an incident or right-click an incident and select Analysis.

    The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

    In the incident information panel, you can change information collected about the incident.

    In order to assist SOC analysts during their investigation, comments and reports can be attached to incidents.

    In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

    The Analysis page includes the following information and features:

    Panel

    Description
    Incident information

    General information about the incident.

    Click Edit to modify the following information:

    • Incident Number: The unique incident ID.
    • Incident Date/Time: The date and time that the incident was created.
    • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
    • Severity: The severity of the incident, including High, Medium, and Low.
    • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
    • Affected Endpoint: The endpoint associated with this incident.
    • Description: A description of the incident provided by the administrator.
    • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

    Click Refresh to manually update the displayed information.
    Affected Endpoint/User Information about the affected endpoint/users.
    Executed Playbooks

    The history of executed playbooks related to the incident.

    Click Execute Playbook to run a playbook configured with the On_Demand trigger. See FortiSoC.
    Audit History

    Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

    Click Expand All to see additional details.
    Incident Timeline

    The timeline of the events raised for the incident.

    Scroll using your mouse wheel to change the displayed time frame.

    Comments

    Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

    Enter a comment and click POST to create a new comment.

    Existing comments can be edited and deleted by administrators.

    Events

    Displays the events that have been raised for this incident.

    Reports

    Attach and manage reports related to this incident.

    See Adding reports to an incident.
    Previous
    Next

    Analyzing an incident

    Analyzing an incident

    In Incidents & Events/FortiSoC > Incidents, double-click an incident or right-click an incident and select Analysis.

    The analysis page shows the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

    In the incident information panel, you can change information collected about the incident.

    In order to assist SOC analysts during their investigation, comments and reports can be attached to incidents.

    In the Events panel, you can review and delete events attached to the incident. See Raising an incident.

    The Analysis page includes the following information and features:

    Panel

    Description
    Incident information

    General information about the incident.

    Click Edit to modify the following information:

    • Incident Number: The unique incident ID.
    • Incident Date/Time: The date and time that the incident was created.
    • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.
    • Severity: The severity of the incident, including High, Medium, and Low.
    • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.
    • Affected Endpoint: The endpoint associated with this incident.
    • Description: A description of the incident provided by the administrator.
    • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

    Click Refresh to manually update the displayed information.
    Affected Endpoint/User Information about the affected endpoint/users.
    Executed Playbooks

    The history of executed playbooks related to the incident.

    Click Execute Playbook to run a playbook configured with the On_Demand trigger. See FortiSoC.
    Audit History

    Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

    Click Expand All to see additional details.
    Incident Timeline

    The timeline of the events raised for the incident.

    Scroll using your mouse wheel to change the displayed time frame.

    Comments

    Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

    Enter a comment and click POST to create a new comment.

    Existing comments can be edited and deleted by administrators.

    Events

    Displays the events that have been raised for this incident.

    Reports

    Attach and manage reports related to this incident.

    See Adding reports to an incident.
    Previous
    Next