Fortinet white logo
Fortinet white logo

Administration Guide

Working with Compromised Hosts information

Working with Compromised Hosts information

Go to FortiView > Threats > Compromised Hosts.

Click the Settings icon to change the following:

Chart Type

Select one of the following: table (default), users IOC, or bubble.

Show Top

Select the number of results to display. Different options are available according to the Chart Type.

Show Acknowledged

Include acknowledged sources in the results. Disabled by default.

Only Show Rescan

Only display results from rescan tasks. Disabled by default.

For information about rescan settings, see Managing a Compromised Hosts rescan policy.

You can set the devices, time period, and filters for the dashboard.

Using Compromised Hosts when Chart Type = table:

This chart type displays IOC line items in a table view. Click the export icon to export the table information into a PDF or report chart.

There is a record for each source, and the # of Threats column displays the number of unique threat names associated with that end user. To filter the table, click + to add a filter such as device ID, log type, or security action.

The following columns are available:

Source (User/IP) The endpoint/end user that with indicator(s) of compromise.
Last Detected The last time a threat was detected on the end user. A rescan icon indicates that threats found also include results from an IOC rescan task.

Host Name

The host name of the end user.

OS

The OS used by the end user.

Verdict

When threats are identified using the blocklist, the verdict is Infected.

# of Threats

The number of unique threats associated with the end user.

You can drill down by double-clicking the record to view the different threats in the Blocklist and Suspicious table views. In those views, you will also be able to drill down further to the different logs where matches were found to the threat database.

Acknowledge

Indicates if the potential compromise has been acknowledged by the user. To add an acknowledgment comment, click ACK and submit desired remark.

Device Name

The related logging device.

To drill down and view threat details for a particular endpoint, right-click a row and select Blocklist or Suspicious. Alternatively, double-click a row to open the Blocklist. You can toggle between Blocklist and Suspicious from this view.

The Blocklist and Suspicious table views list all unique threats detected for the end user. A summary of the end user is provided above the table.

The following columns are available:

Detect Patterns

The IP, URL, or domain that was matched to the blocklist or suspicious list in the threat database. Click for more information from FortiGuard, including:

  • Detect Pattern

  • IOC Tags

  • Confidence

  • Live Ratings

  • Events

  • Reference URL

From this dialog, you can show the raw data for the detect pattern or report a misrated indicator of compromise.

Threat Type

The threat type as defined in FortiGuard. Click for a brief description.

Threat Name

The threat name as defined in FortiGuard. Click for a brief description.

Category

The category for the threat.

Detect Method

The method for detecting the compromise. In the example above, it is "infected-ip", which means an IP in the logs matches a blocklist IP in the threat database. Threats can also be detected through infected URLs and domains identified on the threat database.

# of Events

The number of events matching this detect pattern that have been flagged for the end user. There is a separate log for each event. You can double-click the row to find more information about the logs.

Log Type

The log type(s) where the potential compromise was detected.

Security Actions

The action that has been taken against the detection, such as blocked or timeout. Click for more details, including the Device ID and VDOM.

Scan Time

When the user was last scanned for IOC.

Double-click a record in the table to open Log View filtered to display the related events. For example, double-clicking a record in the Blocklist table will display Log View filtered by the bl_pattern_id and the UEBA Endpoint ID.

In the Log View, you can double-click a record in the table to open the log details. Note that you have not left FortiView, so you can click the breadcrumbs at the top of the pane to navigate back to the Blocklist or Indicator of Compromise views. See below.

Using Compromised Hosts when Chart Type = users IOC:

This chart type includes two panes: a rotating list of users and a map of incidents.

The rotating list of users automatically rotates through compromised hosts. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

Using Compromised Hosts when Chart Type = bubble:

In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

  • Source

  • Last Detected

  • Host Name

  • OS

  • Verdict

  • # of Threats

  • Achnowledge

  • Device Name

  • Device ID

Double-click a bubble to drill down to the Blocklist view for the related end user.

Working with Compromised Hosts information

Working with Compromised Hosts information

Go to FortiView > Threats > Compromised Hosts.

Click the Settings icon to change the following:

Chart Type

Select one of the following: table (default), users IOC, or bubble.

Show Top

Select the number of results to display. Different options are available according to the Chart Type.

Show Acknowledged

Include acknowledged sources in the results. Disabled by default.

Only Show Rescan

Only display results from rescan tasks. Disabled by default.

For information about rescan settings, see Managing a Compromised Hosts rescan policy.

You can set the devices, time period, and filters for the dashboard.

Using Compromised Hosts when Chart Type = table:

This chart type displays IOC line items in a table view. Click the export icon to export the table information into a PDF or report chart.

There is a record for each source, and the # of Threats column displays the number of unique threat names associated with that end user. To filter the table, click + to add a filter such as device ID, log type, or security action.

The following columns are available:

Source (User/IP) The endpoint/end user that with indicator(s) of compromise.
Last Detected The last time a threat was detected on the end user. A rescan icon indicates that threats found also include results from an IOC rescan task.

Host Name

The host name of the end user.

OS

The OS used by the end user.

Verdict

When threats are identified using the blocklist, the verdict is Infected.

# of Threats

The number of unique threats associated with the end user.

You can drill down by double-clicking the record to view the different threats in the Blocklist and Suspicious table views. In those views, you will also be able to drill down further to the different logs where matches were found to the threat database.

Acknowledge

Indicates if the potential compromise has been acknowledged by the user. To add an acknowledgment comment, click ACK and submit desired remark.

Device Name

The related logging device.

To drill down and view threat details for a particular endpoint, right-click a row and select Blocklist or Suspicious. Alternatively, double-click a row to open the Blocklist. You can toggle between Blocklist and Suspicious from this view.

The Blocklist and Suspicious table views list all unique threats detected for the end user. A summary of the end user is provided above the table.

The following columns are available:

Detect Patterns

The IP, URL, or domain that was matched to the blocklist or suspicious list in the threat database. Click for more information from FortiGuard, including:

  • Detect Pattern

  • IOC Tags

  • Confidence

  • Live Ratings

  • Events

  • Reference URL

From this dialog, you can show the raw data for the detect pattern or report a misrated indicator of compromise.

Threat Type

The threat type as defined in FortiGuard. Click for a brief description.

Threat Name

The threat name as defined in FortiGuard. Click for a brief description.

Category

The category for the threat.

Detect Method

The method for detecting the compromise. In the example above, it is "infected-ip", which means an IP in the logs matches a blocklist IP in the threat database. Threats can also be detected through infected URLs and domains identified on the threat database.

# of Events

The number of events matching this detect pattern that have been flagged for the end user. There is a separate log for each event. You can double-click the row to find more information about the logs.

Log Type

The log type(s) where the potential compromise was detected.

Security Actions

The action that has been taken against the detection, such as blocked or timeout. Click for more details, including the Device ID and VDOM.

Scan Time

When the user was last scanned for IOC.

Double-click a record in the table to open Log View filtered to display the related events. For example, double-clicking a record in the Blocklist table will display Log View filtered by the bl_pattern_id and the UEBA Endpoint ID.

In the Log View, you can double-click a record in the table to open the log details. Note that you have not left FortiView, so you can click the breadcrumbs at the top of the pane to navigate back to the Blocklist or Indicator of Compromise views. See below.

Using Compromised Hosts when Chart Type = users IOC:

This chart type includes two panes: a rotating list of users and a map of incidents.

The rotating list of users automatically rotates through compromised hosts. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

Using Compromised Hosts when Chart Type = bubble:

In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

  • Source

  • Last Detected

  • Host Name

  • OS

  • Verdict

  • # of Threats

  • Achnowledge

  • Device Name

  • Device ID

Double-click a bubble to drill down to the Blocklist view for the related end user.