Fortinet black logo

Administration Guide

Threat Hunting

Threat Hunting

FortiSoC includes the Threat Hunting pane which offers a SOC analytics dashboard using the SIEM database. Threat Hunting uses cached data to allow SOC analysts to quickly drilldown on logs in fields of interest. To view the Threat Hunting dashboard, go to FortiSoC > Threat Hunting. The Threat Hunting dashboard includes a log count chart and SIEM log analytics table.

The Threat Hunting dashboard is only available in Fabric ADOMs when ADOMs are enabled.

To change the displayed time range, select a time from the dropdown in the top-left corner of the dashboard. You can configure custom time ranges by selecting either Last N Minutes, Last N Hours, or Last N Days. Apply filters to the dashboard using Add Filter or by right-clicking on a value in the table and selecting the corresponding filter. Only logs matching the selected time range and filter are displayed in the SIEM log analytics table.

You can toggle between the light mode and dark mode dashboard theme using the Dark Mode toggle in the toolbar.

Using the log count chart

A chart displaying the total log count during the specified time range is presented at the top of the Threat Hunting dashboard.

You can zoom in and out on the displayed time range by using your mouse's scroll wheel or by adjusting the timebar below the graph. You can adjust the time bar by dragging the start and stop bars on either side of the selected time range, or by clicking and dragging the entire time range to the left or right. Only logs displayed within the time period visible in the chart are shown in the SIEM log analytics table.

Using the SIEM log analytics table

The SIEM log analytics table contains a list of fields of interest in the left menu as well as the analytics table. You can select a field from the left menu to view corresponding data in the table. The table includes a row for the null value of that field, if applicable. For example, see the image below where Application Service is blank (null) in row 5.

Double-click an item in the table to open the log drilldown page which displays detailed log information. This feature includes the same functions as are available in Log View, including the search bar filter, time filter, columns settings, right-click filter, and more. See Viewing message details

Threat Hunting

FortiSoC includes the Threat Hunting pane which offers a SOC analytics dashboard using the SIEM database. Threat Hunting uses cached data to allow SOC analysts to quickly drilldown on logs in fields of interest. To view the Threat Hunting dashboard, go to FortiSoC > Threat Hunting. The Threat Hunting dashboard includes a log count chart and SIEM log analytics table.

The Threat Hunting dashboard is only available in Fabric ADOMs when ADOMs are enabled.

To change the displayed time range, select a time from the dropdown in the top-left corner of the dashboard. You can configure custom time ranges by selecting either Last N Minutes, Last N Hours, or Last N Days. Apply filters to the dashboard using Add Filter or by right-clicking on a value in the table and selecting the corresponding filter. Only logs matching the selected time range and filter are displayed in the SIEM log analytics table.

You can toggle between the light mode and dark mode dashboard theme using the Dark Mode toggle in the toolbar.

Using the log count chart

A chart displaying the total log count during the specified time range is presented at the top of the Threat Hunting dashboard.

You can zoom in and out on the displayed time range by using your mouse's scroll wheel or by adjusting the timebar below the graph. You can adjust the time bar by dragging the start and stop bars on either side of the selected time range, or by clicking and dragging the entire time range to the left or right. Only logs displayed within the time period visible in the chart are shown in the SIEM log analytics table.

Using the SIEM log analytics table

The SIEM log analytics table contains a list of fields of interest in the left menu as well as the analytics table. You can select a field from the left menu to view corresponding data in the table. The table includes a row for the null value of that field, if applicable. For example, see the image below where Application Service is blank (null) in row 5.

Double-click an item in the table to open the log drilldown page which displays detailed log information. This feature includes the same functions as are available in Log View, including the search bar filter, time filter, columns settings, right-click filter, and more. See Viewing message details