Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Indicator enrichment

    Indicator enrichment

    The indicator enrichment feature empowers security analysts by providing them with comprehensive threat intelligence on identified IP addresses, domains, and URLs. This enriched context allows for a deeper understanding of security incidents, leading to more informed and effective response decisions.

    FortiAnalyzer uses FortiGuard and VirusTotal enrichment services to evaluate the risk possessed by the indicators. These services are used by means of a predefined playbook in FortiAnalyzer: Indicator Enrichment. This playbook is enabled by default and is read-only. It can be found in Incidents & Events > Automation > Playbook.

    The FortiGuard enrichment services are built-in and ready to use, but VirusTotal requires an API Key in the fabric connector.

    To setup the VirusTotal Connector:

    1. Go to Incidents & Events > Automation > Active Connectors.

    2. Double-click the VirusTotal connector.

    3. In the API Key field, update the API key.

    4. Click OK.

    5. Enable the VirusTotal connector.

      When this connector is enabled, indicator enrichment will provide the VirusTotal information.

    You can enrich indicators from the Indicator pane, or from an incident that contains the indicator. When an incident is raised from an event, the event's indicators are attached to the incident.

    To enrich an indicator from and incident:

    1. Go to Incident & Events > Incidents > Incidents.

    2. Select the related incident and click Analysis.

      You can also enrich the indicator from the toolbar in the table view.

      Note

      The Enrich option is only available when there are indicators that can be enriched. Private IP addresses are not valid IP indicators.

    3. Click Enrich.

      The Enrich pane displays.

    4. Review the details in the Enrich pane.

    5. Click Save Enrichment or Cancel according to the review.

      The indicator will only be processed and enriched after clicking Save Enrichment.

    When indicators are enriched, FortiAnalyzer will display the following information:

    Section

    Description

    FortiGuard CTS

    Displays the indicator confidence, IOC tags, IOC, antivirus, and web filter categories.

    VirusTotal Summary

    Displays a Risk Summary, a Detection tab, and a Details tab.

    Risk Summary

    Displays detailed security vendor analysis, presenting a comprehensive list indicating whether each vendor has detected the indicator, along with their assigned risk category if detected.

    Detection

    Displays detailed security vendor analysis, presenting a comprehensive list indicating whether each vendor has detected the indicator, along with their assigned risk category if detected.

    Details

    Displays the Whois Summary and Whois Lookup, providing essential information such as organization details, address, data source, and contact information.
    Note

    Saving the same enrichment would update the existing entry in the history. A new entry will only be created when there are changes in the enrichment.
    Previous
    Next

    Indicator enrichment

    Indicator enrichment

    The indicator enrichment feature empowers security analysts by providing them with comprehensive threat intelligence on identified IP addresses, domains, and URLs. This enriched context allows for a deeper understanding of security incidents, leading to more informed and effective response decisions.

    FortiAnalyzer uses FortiGuard and VirusTotal enrichment services to evaluate the risk possessed by the indicators. These services are used by means of a predefined playbook in FortiAnalyzer: Indicator Enrichment. This playbook is enabled by default and is read-only. It can be found in Incidents & Events > Automation > Playbook.

    The FortiGuard enrichment services are built-in and ready to use, but VirusTotal requires an API Key in the fabric connector.

    To setup the VirusTotal Connector:

    1. Go to Incidents & Events > Automation > Active Connectors.

    2. Double-click the VirusTotal connector.

    3. In the API Key field, update the API key.

    4. Click OK.

    5. Enable the VirusTotal connector.

      When this connector is enabled, indicator enrichment will provide the VirusTotal information.

    You can enrich indicators from the Indicator pane, or from an incident that contains the indicator. When an incident is raised from an event, the event's indicators are attached to the incident.

    To enrich an indicator from and incident:

    1. Go to Incident & Events > Incidents > Incidents.

    2. Select the related incident and click Analysis.

      You can also enrich the indicator from the toolbar in the table view.

      Note

      The Enrich option is only available when there are indicators that can be enriched. Private IP addresses are not valid IP indicators.

    3. Click Enrich.

      The Enrich pane displays.

    4. Review the details in the Enrich pane.

    5. Click Save Enrichment or Cancel according to the review.

      The indicator will only be processed and enriched after clicking Save Enrichment.

    When indicators are enriched, FortiAnalyzer will display the following information:

    Section

    Description

    FortiGuard CTS

    Displays the indicator confidence, IOC tags, IOC, antivirus, and web filter categories.

    VirusTotal Summary

    Displays a Risk Summary, a Detection tab, and a Details tab.

    Risk Summary

    Displays detailed security vendor analysis, presenting a comprehensive list indicating whether each vendor has detected the indicator, along with their assigned risk category if detected.

    Detection

    Displays detailed security vendor analysis, presenting a comprehensive list indicating whether each vendor has detected the indicator, along with their assigned risk category if detected.

    Details

    Displays the Whois Summary and Whois Lookup, providing essential information such as organization details, address, data source, and contact information.
    Note

    Saving the same enrichment would update the existing entry in the history. A new entry will only be created when there are changes in the enrichment.
    Previous
    Next