Working with Compromised Hosts information
Go to FortiView > Threats > Compromised Hosts.
Click the Settings icon to change the following:
Chart Type |
Select one of the following: table (default), users IOC, or bubble. |
Show Top |
Select the number of results to display. Different options are available according to the Chart Type. |
Show Acknowledged |
Include acknowledged sources in the results. Disabled by default. |
Only Show Rescan |
Only display results from rescan tasks. Disabled by default. |
For information about rescan settings, see Managing a Compromised Hosts rescan policy.
You can set the devices, time period, and filters for the dashboard.
Using Compromised Hosts when Chart Type = table:
This chart type displays IOC line items in a table view. Click the export icon to export the table information into a PDF or report chart.
There is a record for each source, and the # of Threats column displays the number of unique threat names associated with that end user. To filter the table, click + to add a filter such as device ID, log type, or security action.
The following columns are available:
Source (User/IP) | The endpoint/end user that with indicator(s) of compromise. |
Last Detected | The last time a threat was detected on the end user. A rescan icon indicates that threats found also include results from an IOC rescan task. |
Host Name |
The host name of the end user. |
OS |
The OS used by the end user. |
Verdict |
When threats are identified using the blocklist, the verdict is |
# of Threats |
The number of unique threats associated with the end user. You can drill down by double-clicking the record to view the different threats in the Blocklist and Suspicious table views. In those views, you will also be able to drill down further to the different logs where matches were found to the threat database. |
Acknowledge |
Indicates if the potential compromise has been acknowledged by the user. To add an acknowledgment comment, click ACK and submit desired remark. |
Device Name |
The related logging device. |
To drill down and view threat details for a particular endpoint, right-click a row and select Blocklist or Suspicious. Alternatively, double-click a row to open the Blocklist. You can toggle between Blocklist and Suspicious from this view.
The Blocklist and Suspicious table views list all unique threats detected for the end user. A summary of the end user is provided above the table.
The following columns are available:
Detect Patterns |
The IP, URL, or domain that was matched to the blocklist or suspicious list in the threat database. Click for more information from FortiGuard, including:
From this dialog, you can show the raw data for the detect pattern or report a misrated indicator of compromise. |
Threat Type |
The threat type as defined in FortiGuard. Click for a brief description. |
Threat Name |
The threat name as defined in FortiGuard. Click for a brief description. |
Category |
The category for the threat. |
Detect Method |
The method for detecting the compromise. In the example above, it is " |
# of Events |
The number of events matching this detect pattern that have been flagged for the end user. There is a separate log for each event. You can double-click the row to find more information about the logs. |
Log Type |
The log type(s) where the potential compromise was detected. |
Security Actions |
The action that has been taken against the detection, such as blocked or timeout. Click for more details, including the Device ID and VDOM. |
Scan Time |
When the user was last scanned for IOC. |
Double-click a record in the table to open Log View filtered to display the related events. For example, double-clicking a record in the Blocklist table will display Log View filtered by the bl_pattern_id
and the UEBA Endpoint ID
.
In the Log View, you can double-click a record in the table to open the log details. Note that you have not left FortiView, so you can click the breadcrumbs at the top of the pane to navigate back to the Blocklist or Indicator of Compromise views. See below.
Using Compromised Hosts when Chart Type = users IOC:
This chart type includes two panes: a rotating list of users and a map of incidents.
The rotating list of users automatically rotates through compromised hosts. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.
Using Compromised Hosts when Chart Type = bubble:
In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:
-
Source
-
Last Detected
-
Host Name
-
OS
-
Verdict
-
# of Threats
-
Achnowledge
-
Device Name
-
Device ID
Double-click a bubble to drill down to the Blocklist view for the related end user.