SIEM correlation and analysis
Expand the built-in SIEM framework for automated correlation and analysis using the normalized log fields that are critical for SOC threat hunting. Data is aggregated, correlated across these interesting log fields, and organized in a digestible format ready for SOC to consume. Global filters can be applied on the fly to help the SOC quickly zero into the interesting timeline, endpoint events, and suspicious activities, identify anomalies and behavior patterns and uncover hidden threats.
To view the Threat Hunting dashboard:
- Go to FortiSoC > Threat Hunting.
The Threat Hunting dashboard is displayed. This dashboard provides fast searching (drilldown) with cached data on fields of interest based on the SIEM database and includes a graphical chart for Log Count during the specified time range.
The dashboard includes a predefined time filter to specify the time range you want to view. You can manually drag the progress bar below the Log Count graph to display the chart in different time ranges, and the data will change accordingly.
The left pane includes a list of selectable fields of interest. The right pane provides analytics to display the actual values for the selected field with statistics in the selected time range.
- Right-click on a value in the table to add it to a filter. Fields in the left pane and Log Count chart are updated.
- Double-click a column of interest on the right pane to drilldown and see detailed log information. The drilldown view provides the same functions as Log View, including a search bar filter, time filter, columns setting.