Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.4 Administration Guide
    7.4.4
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Working with IOC information

    Working with IOC information

    Go to FortiView > Threats > Indicator of Compromise.

    Click the Settings icon to change the following:

    Chart Type

    Select one of the following: table (default), users IOC, or bubble.
    Show Top

    Select the number of results to display. Different options are available according to the Chart Type.

    Show Acknowledged

    Include acknowledged sources in the results. Disabled by default.

    Only Show Rescan

    Only display results from rescan tasks. Disabled by default.

    For information about rescan settings, see Managing an IOC rescan policy

    You can set the devices, time period, and filters for the dashboard. If there are regularly used filters, you can create a custom view. See Creating custom views for FortiView

    Using Indicator of Compromise when Chart Type = table:

    This chart type displays IOC line items in a table view. The total number of sources with indicators for compromise is displayed above the table. Click the export icon to export the table information into a PDF or report chart.

    There is a record for each source, and the # of Threats column displays the number of unique threat names associated with that end user. To filter the table, click + to add a filter such as device ID, log type, or security action.

    The following columns are available:

    Source (User/IP) The endpoint/end user that with indicator(s) of compromise.
    Last Detected The last time a threat was detected on the end user. A rescan icon indicates that threats found also include results from an IOC rescan task.

    Host Name

    The host name of the end user.

    OS

    The OS used by the end user.

    Log Types

    The log types that identified the threats. This could be traffic, web filter, DNS, or email filter log types.

    Security Actions

    The actions taken against the threats, such as block, timeout, or close.

    Verdict

    When threats are identified using the blocklist, the verdict is Infected.

    # of Threats

    The number of unique threats associated with the end user.

    You can drill down by double-clicking the record to view the different threats in the Blocklist and Suspicious table views. In those views, you will also be able to drill down further to the different logs where matches were found to the threat database.

    Acknowledge

    Indicates if the potential compromise has been acknowledged by the user. To add an acknowledgment comment, click ACK and submit desired remark.

    Device Name

    The related logging device.

    To drill down and view threat details for a particular endpoint, right-click a row and select Blocklist or Suspicious. Alternatively, double-click a row to open the Blocklist. You can toggle between Blocklist and Suspicious from this view.

    The Blocklist and Suspicious table views list all unique threats detected for the end user. A summary of the end user is provided above the table.

    The following columns are available:

    Detect Patterns

    The IP, URL, or domain that was matched to the blocklist or suspicious list in the threat database. Click for more information from FortiGuard, including:

    • Detect Pattern

    • IOC Tags

    • Confidence

    • Live Ratings

    • Events

    • Reference URL

    From this dialog, you can show the raw data for the detect pattern or report a misrated indicator of compromise.
    Threat Type

    The threat type as defined in FortiGuard. Click for a brief description.

    Threat Name

    The threat name as defined in FortiGuard. Click for a brief description.

    Category

    The category for the threat.

    Detect Method

    The method for detecting the compromise. In the example above, it is "infected-ip", which means an IP in the logs matches a blocklist IP in the threat database. Threats can also be detected through infected URLs and domains identified on the threat database.

    # of Events

    The number of events matching this detect pattern that have been flagged for the end user. There is a separate log for each event. You can double-click the row to find more information about the logs.

    Log Type

    The log type(s) where the potential compromise was detected.

    Security Actions

    The action that has been taken against the detection, such as blocked or timeout. Click for more details, including the Device ID and VDOM.

    Scan Time

    When the user was last scanned for IOC.

    Double-click a record in the table to open Log View filtered to display the related events. For example, double-clicking a record in the Blocklist table will display Log View filtered by the bl_pattern_id and the srcip.

    In the Log View, you can double-click a record in the table to open the log details. Note that you have not left FortiView, so you can click the breadcrumbs at the top of the pane to navigate back to the Blocklist or Indicator of Compromise views. See below.

    Using Indicator of Compromise when Chart Type = users IOC:

    This chart type includes two panes: a rotating list of users and a map of incidents.

    The rotating list of users automatically rotates through indicators of compromise. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

    Using Indicator of Compromise when Chart Type = bubble:

    In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

    • Source

    • Last Detected

    • Host Name

    • OS

    • Log Types

    • Security Actions

    • Verdict

    • # of Threats

    • Achnowledge

    • Device Name

    • Device ID

    Previous
    Next

    Working with IOC information

    Working with IOC information

    Go to FortiView > Threats > Indicator of Compromise.

    Click the Settings icon to change the following:

    Chart Type

    Select one of the following: table (default), users IOC, or bubble.
    Show Top

    Select the number of results to display. Different options are available according to the Chart Type.

    Show Acknowledged

    Include acknowledged sources in the results. Disabled by default.

    Only Show Rescan

    Only display results from rescan tasks. Disabled by default.

    For information about rescan settings, see Managing an IOC rescan policy

    You can set the devices, time period, and filters for the dashboard. If there are regularly used filters, you can create a custom view. See Creating custom views for FortiView

    Using Indicator of Compromise when Chart Type = table:

    This chart type displays IOC line items in a table view. The total number of sources with indicators for compromise is displayed above the table. Click the export icon to export the table information into a PDF or report chart.

    There is a record for each source, and the # of Threats column displays the number of unique threat names associated with that end user. To filter the table, click + to add a filter such as device ID, log type, or security action.

    The following columns are available:

    Source (User/IP) The endpoint/end user that with indicator(s) of compromise.
    Last Detected The last time a threat was detected on the end user. A rescan icon indicates that threats found also include results from an IOC rescan task.

    Host Name

    The host name of the end user.

    OS

    The OS used by the end user.

    Log Types

    The log types that identified the threats. This could be traffic, web filter, DNS, or email filter log types.

    Security Actions

    The actions taken against the threats, such as block, timeout, or close.

    Verdict

    When threats are identified using the blocklist, the verdict is Infected.

    # of Threats

    The number of unique threats associated with the end user.

    You can drill down by double-clicking the record to view the different threats in the Blocklist and Suspicious table views. In those views, you will also be able to drill down further to the different logs where matches were found to the threat database.

    Acknowledge

    Indicates if the potential compromise has been acknowledged by the user. To add an acknowledgment comment, click ACK and submit desired remark.

    Device Name

    The related logging device.

    To drill down and view threat details for a particular endpoint, right-click a row and select Blocklist or Suspicious. Alternatively, double-click a row to open the Blocklist. You can toggle between Blocklist and Suspicious from this view.

    The Blocklist and Suspicious table views list all unique threats detected for the end user. A summary of the end user is provided above the table.

    The following columns are available:

    Detect Patterns

    The IP, URL, or domain that was matched to the blocklist or suspicious list in the threat database. Click for more information from FortiGuard, including:

    • Detect Pattern

    • IOC Tags

    • Confidence

    • Live Ratings

    • Events

    • Reference URL

    From this dialog, you can show the raw data for the detect pattern or report a misrated indicator of compromise.
    Threat Type

    The threat type as defined in FortiGuard. Click for a brief description.

    Threat Name

    The threat name as defined in FortiGuard. Click for a brief description.

    Category

    The category for the threat.

    Detect Method

    The method for detecting the compromise. In the example above, it is "infected-ip", which means an IP in the logs matches a blocklist IP in the threat database. Threats can also be detected through infected URLs and domains identified on the threat database.

    # of Events

    The number of events matching this detect pattern that have been flagged for the end user. There is a separate log for each event. You can double-click the row to find more information about the logs.

    Log Type

    The log type(s) where the potential compromise was detected.

    Security Actions

    The action that has been taken against the detection, such as blocked or timeout. Click for more details, including the Device ID and VDOM.

    Scan Time

    When the user was last scanned for IOC.

    Double-click a record in the table to open Log View filtered to display the related events. For example, double-clicking a record in the Blocklist table will display Log View filtered by the bl_pattern_id and the srcip.

    In the Log View, you can double-click a record in the table to open the log details. Note that you have not left FortiView, so you can click the breadcrumbs at the top of the pane to navigate back to the Blocklist or Indicator of Compromise views. See below.

    Using Indicator of Compromise when Chart Type = users IOC:

    This chart type includes two panes: a rotating list of users and a map of incidents.

    The rotating list of users automatically rotates through indicators of compromise. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

    Using Indicator of Compromise when Chart Type = bubble:

    In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

    • Source

    • Last Detected

    • Host Name

    • OS

    • Log Types

    • Security Actions

    • Verdict

    • # of Threats

    • Achnowledge

    • Device Name

    • Device ID

    Previous
    Next