Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Managing indicators

    Managing indicators

    Indicators can be found in Incidents & Events > Indicators. This pane contains a chart view and table view of the indicators.

    There are three charts in the chart view:

    • Indicator Type

    • Reputation

    • Enrichment Status

    By default, all three charts are displayed. From the Show Charts dropdown, you can toggle which charts display. You can also toggle Show Charts to hide all charts, when needed.

    Select a value in any of the charts to apply the filter to all charts and the table view. To remove the filter, click the chart title.

    The following actions are available in the toolbar:

    Action

    Description
    Create New Create a new indicator. Once the indicator is created, the Source column will display the admin that created it.

    Edit

    Edit the indicator.

    Delete

    Delete the indicator.

    Enrich

    Enrich the indicator. For more information, see Indicator enrichment.

    The following columns are available in the table view:

    Column

    Description
    Indicator The indicator name.

    Type

    The indicator type:

    • IP

    • URL

    • Domain

    Rating Confidence

    The rating confidence from FortiGuard.

    Reputation

    The reputation from VirusTotal:

    • Malicious

    • Suspicious

    • Harmless

    • Undetected

    Enrichment Status

    The enrichment status:

    • Enriched (completed)

    • No enrichment

    • No data

    Source

    The source of the enrichment:

    • <administrator name>

    • auto-created
    To create a new indicator:

    1. Go to Incidents & Events > Indicators.

    2. Click Create New.

    3. From the Indicator dropdown, select the indicator type.

    4. In the Indicator Value field, enter the appropriate value for the indicator type (IP, URL, or domain).

    5. Click Create.

    To edit an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Edit.

    3. Update the indicator.

    4. To save the changes, click Edit.

    To delete an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Delete.

    3. To confirm the deletion, click OK.

    To enrich an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Enrich.

      Alternatively, you can double-click the indicator or right-click the indicator and click Enrich.

      The Enrich pane displays.

    3. Review the details in the Enrich pane.

    4. Click Save Enrichment or Cancel according to the review.

      The indicator will only be processed and enriched after clicking Save Enrichment.

    Previous
    Next

    Managing indicators

    Managing indicators

    Indicators can be found in Incidents & Events > Indicators. This pane contains a chart view and table view of the indicators.

    There are three charts in the chart view:

    • Indicator Type

    • Reputation

    • Enrichment Status

    By default, all three charts are displayed. From the Show Charts dropdown, you can toggle which charts display. You can also toggle Show Charts to hide all charts, when needed.

    Select a value in any of the charts to apply the filter to all charts and the table view. To remove the filter, click the chart title.

    The following actions are available in the toolbar:

    Action

    Description
    Create New Create a new indicator. Once the indicator is created, the Source column will display the admin that created it.

    Edit

    Edit the indicator.

    Delete

    Delete the indicator.

    Enrich

    Enrich the indicator. For more information, see Indicator enrichment.

    The following columns are available in the table view:

    Column

    Description
    Indicator The indicator name.

    Type

    The indicator type:

    • IP

    • URL

    • Domain

    Rating Confidence

    The rating confidence from FortiGuard.

    Reputation

    The reputation from VirusTotal:

    • Malicious

    • Suspicious

    • Harmless

    • Undetected

    Enrichment Status

    The enrichment status:

    • Enriched (completed)

    • No enrichment

    • No data

    Source

    The source of the enrichment:

    • <administrator name>

    • auto-created
    To create a new indicator:

    1. Go to Incidents & Events > Indicators.

    2. Click Create New.

    3. From the Indicator dropdown, select the indicator type.

    4. In the Indicator Value field, enter the appropriate value for the indicator type (IP, URL, or domain).

    5. Click Create.

    To edit an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Edit.

    3. Update the indicator.

    4. To save the changes, click Edit.

    To delete an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Delete.

    3. To confirm the deletion, click OK.

    To enrich an indicator:

    1. Go to Incidents & Events > Indicators.

    2. Select and indicator, and click Enrich.

      Alternatively, you can double-click the indicator or right-click the indicator and click Enrich.

      The Enrich pane displays.

    3. Review the details in the Enrich pane.

    4. Click Save Enrichment or Cancel according to the review.

      The indicator will only be processed and enriched after clicking Save Enrichment.

    Previous
    Next